CVE-2018-7903 - OpenCVE

Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privilege of the system.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Huawei	2288h V5 Firmware 1288h V5 Firmware 2288h V5 1288h V5

Configuration 1 [-]

AND

cpe:2.3:o:huawei:1288h_v5_firmware:v100r005c00:*:*:*:*:*:*:*

cpe:2.3:h:huawei:1288h_v5:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:huawei:2288h_v5_firmware:v100r005c00:*:*:*:*:*:*:*

cpe:2.3:h:huawei:2288h_v5:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180523-01-json-en	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: huawei

Published: 2018-05-24T14:00:00

Updated: 2018-05-24T13:57:01

Reserved: 2018-03-09T00:00:00

Link: CVE-2018-7903

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-05-24T14:29:00.483

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-7903

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "1288H V5; 2288H V5", "vendor": "Huawei Technologies Co., Ltd.", "versions": [{"status": "affected", "version": "V100R005C00"}]}], "datePublic": "2018-05-23T00:00:00", "descriptions": [{"lang": "en", "value": "Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privilege of the system."}], "problemTypes": [{"descriptions": [{"description": "JSON injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-24T13:57:01", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180523-01-json-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2018-7903", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "1288H V5; 2288H V5", "version": {"version_data": [{"version_value": "V100R005C00"}]}}]}, "vendor_name": "Huawei Technologies Co., Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privilege of the system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "JSON injection"}]}]}, "references": {"reference_data": [{"name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180523-01-json-en", "refsource": "CONFIRM", "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180523-01-json-en"}]}}}}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2018-7903", "datePublished": "2018-05-24T14:00:00", "dateReserved": "2018-03-09T00:00:00", "dateUpdated": "2018-05-24T13:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:1288h_v5_firmware:v100r005c00:*:*:*:*:*:*:*", "matchCriteriaId": "40D2568F-0B77-40A2-AA93-278BE46231C2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:1288h_v5:-:*:*:*:*:*:*:*", "matchCriteriaId": "A97FE467-E5EB-45B4-B7EA-2E8232307CEE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:2288h_v5_firmware:v100r005c00:*:*:*:*:*:*:*", "matchCriteriaId": "0152651D-882D-4ED9-9FC7-F820A597FA6E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:2288h_v5:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E01F546-8E5E-4A5A-B921-DF985FF1D7ED", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privilege of the system."}, {"lang": "es", "value": "Huawei 1288H V5 y 288H V5 con versiones de software V100R005C00 tienen una vulnerabilidad de inyecci\u00f3n JSON. Un atacante remoto autenticado puede desencadenar una inyecci\u00f3n JSON para modificar la contrase\u00f1a del administrador. Debido a la validaci\u00f3n insuficiente de la entrada, esto podr\u00eda explotarse para obtener el privilegio de gesti\u00f3n del sistema."}], "id": "CVE-2018-7903", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-24T14:29:00.483", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180523-01-json-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}