CVE-2017-2694

The AlarmService component in HwVmall with software earlier than 1.5.2.0 versions has no control over calling permissions, allowing any third party to call. An attacker can construct a malicious application to call it. Consequently, alert music will be played suddenly, compromising user experience.

CVSS v3 3.3 LOW
CVSS v2.0 4.3 MEDIUM

3.3^/10

CVSS v3 : LOW

Vector : AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170125-01-vmall-en	Vendor Advisory
http://www.securityfocus.com/bid/95915	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:huawei:vmall:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-11-22 19:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-2694

Mitre link : CVE-2017-2694

CVE.ORG link : CVE-2017-2694

JSON object : View

Products Affected

huawei

vmall

CWE

CWE-275

Permission Issues

{"id": "CVE-2017-2694", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2017-11-22T19:29:00.397", "references": [{"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170125-01-vmall-en", "tags": ["Vendor Advisory"], "source": "psirt@huawei.com"}, {"url": "http://www.securityfocus.com/bid/95915", "tags": ["Third Party Advisory", "VDB Entry"], "source": "psirt@huawei.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-275"}]}], "descriptions": [{"lang": "en", "value": "The AlarmService component in HwVmall with software earlier than 1.5.2.0 versions has no control over calling permissions, allowing any third party to call. An attacker can construct a malicious application to call it. Consequently, alert music will be played suddenly, compromising user experience."}, {"lang": "es", "value": "El componente AlarmService en HwVmall con software en versiones anteriores a la 1.5.2.0 no tiene control sobre los permisos de llamada, permitiendo que cualquier tercero llame. Un atacante podr\u00eda construir una aplicaci\u00f3n maliciosa para llamarla. Consecuentemente, sonar\u00e1 de repente una m\u00fasica de alerta, comprometiendo la experiencia de usuario."}], "lastModified": "2017-12-11T17:06:38.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:huawei:vmall:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13DBABD6-A494-46B0-8A6D-07747DE2F385", "versionEndExcluding": "1.5.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@huawei.com"}