CVE-2018-7956 - OpenCVE

Huawei VIP App is a mobile app for Malaysia customers that purchased P20 Series, Nova 3/3i and Mate 20. There is a vulnerability in versions before 4.0.5 that attackers can conduct bruteforce to the VIP App Web Services to get user information.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Huawei	Mate 20 Firmware Nova 3i Nova 3 Mate 20 Nova 3 Firmware Nova 3i Firmware Vip App

Configuration 1 [-]

cpe:2.3:a:huawei:vip_app:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:huawei:mate_20_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:huawei:mate_20:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:huawei:nova_3i_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:huawei:nova_3i:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:huawei:nova_3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:huawei:nova_3:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181129-01-huaweivip-en	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: huawei

Published: 2018-12-04T18:00:00

Updated: 2018-12-04T17:57:01

Reserved: 2018-03-09T00:00:00

Link: CVE-2018-7956

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-12-04T18:29:00.310

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-7956

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Huawei VIP App", "vendor": "Huawei Technologies Co., Ltd.", "versions": [{"status": "affected", "version": "versions before 4.0.5"}]}], "datePublic": "2018-11-29T00:00:00", "descriptions": [{"lang": "en", "value": "Huawei VIP App is a mobile app for Malaysia customers that purchased P20 Series, Nova 3/3i and Mate 20. There is a vulnerability in versions before 4.0.5 that attackers can conduct bruteforce to the VIP App Web Services to get user information."}], "problemTypes": [{"descriptions": [{"description": "information leakage", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-04T17:57:01", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181129-01-huaweivip-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2018-7956", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Huawei VIP App", "version": {"version_data": [{"version_value": "versions before 4.0.5"}]}}]}, "vendor_name": "Huawei Technologies Co., Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Huawei VIP App is a mobile app for Malaysia customers that purchased P20 Series, Nova 3/3i and Mate 20. There is a vulnerability in versions before 4.0.5 that attackers can conduct bruteforce to the VIP App Web Services to get user information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "information leakage"}]}]}, "references": {"reference_data": [{"name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181129-01-huaweivip-en", "refsource": "CONFIRM", "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181129-01-huaweivip-en"}]}}}}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2018-7956", "datePublished": "2018-12-04T18:00:00", "dateReserved": "2018-03-09T00:00:00", "dateUpdated": "2018-12-04T17:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:huawei:vip_app:*:*:*:*:*:*:*:*", "matchCriteriaId": "F84B52BC-C664-46FD-B2F6-FC8CA5C7830C", "versionEndExcluding": "4.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:mate_20_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "0F3FB528-5C26-446F-9985-E325AB87203B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:mate_20:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5322963-9375-4E4E-8119-895C224003AE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:nova_3i_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "203F2E2F-BC28-42A9-B67A-0C37482084E3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:nova_3i:-:*:*:*:*:*:*:*", "matchCriteriaId": "6E0CD264-B321-4E27-AFB6-601705AF0AB4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:nova_3_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "9BBC9263-82BB-4B33-B682-A7B1A65D1577", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:nova_3:-:*:*:*:*:*:*:*", "matchCriteriaId": "BF68FFB0-01F8-4937-8BF4-36866F02E9A8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Huawei VIP App is a mobile app for Malaysia customers that purchased P20 Series, Nova 3/3i and Mate 20. There is a vulnerability in versions before 4.0.5 that attackers can conduct bruteforce to the VIP App Web Services to get user information."}, {"lang": "es", "value": "Huawei VIP App es una aplicaci\u00f3n m\u00f3vil para los clientes de Malasia que adquirieron los modelos P20 Series, Nova 3/3i y Mate 20. Hay una vulnerabilidad en las versiones anteriores a la 4.0.5 que permite que los atacantes lleven a cabo ataques de fuerza bruta contra VIP App Web Services para obtener informaci\u00f3n de usuario."}], "id": "CVE-2018-7956", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-12-04T18:29:00.310", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181129-01-huaweivip-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}