CVE-2017-2715

The Files APP 7.1.1.309 and earlier versions in some Huawei mobile phones has a brute-force password cracking vulnerability due to the improper design of the Safe key database. An unauthorized attacker could access sensitive database information and may crack users' Safe passwords, leading to information leak.

CVSS v3 7.8 HIGH
CVSS v2.0 2.1 LOW

7.8^/10

CVSS v3 : HIGH

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170425-01-files-en	VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:huawei:files:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-11-22 19:29

Updated : 2024-02-04 19:29

NVD link : CVE-2017-2715

Mitre link : CVE-2017-2715

CVE.ORG link : CVE-2017-2715

JSON object : View

Products Affected

huawei

files

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2017-2715", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": true, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2017-11-22T19:29:01.117", "references": [{"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170425-01-files-en", "tags": ["VDB Entry"], "source": "psirt@huawei.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The Files APP 7.1.1.309 and earlier versions in some Huawei mobile phones has a brute-force password cracking vulnerability due to the improper design of the Safe key database. An unauthorized attacker could access sensitive database information and may crack users' Safe passwords, leading to information leak."}, {"lang": "es", "value": "Files APP en su versi\u00f3n 7.1.1.309 y anteriores en algunos tel\u00e9fonos m\u00f3viles Huawei tiene una vulnerabilidad de descifrado de contrase\u00f1as por fuerza bruta debido al dise\u00f1o inadecuado de la base de datos de Safe key. Un atacante no autorizado podr\u00eda acceder a informaci\u00f3n sensible de la base de datos y podr\u00eda descifrar las contrase\u00f1as Safe de los usuarios, lo que conduce a un filtrado de informaci\u00f3n."}], "lastModified": "2017-12-11T16:55:27.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:huawei:files:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC4CA7CB-4ABD-4B9A-8F5E-7F8AAC485DD4", "versionEndIncluding": "7.1.1.309"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@huawei.com"}