ID
VAR-201410-0925
CVE
CVE-2014-6434
TITLE
GoPro HERO 3+ of gpExec Vulnerable to arbitrary command execution
Trust: 0.8
DESCRIPTION
gpExec in GoPro HERO 3+ allows remote attackers to execute arbitrary commands via a the (1) a1 or (2) a2 parameter in a restart action. Authentication is not required to exploit this vulnerability.The specific flaw exists within the gpExec component. This component performs insufficient parameter validation on the a1/a2 parameters when the c1/c2 parameters are set to "restart". Successful exploitation will allow an attacker to execute arbitrary commands on the target device. The GoPro HERO 3+ is a sports camera. Failed exploit attempts will likely result in denial-of-service conditions
Trust: 3.15
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | gopro | model: | hero | scope: | eq | version: | 3\+ | Trust: 2.6 |
| vendor: | gopro | model: | hero | scope: | eq | version: | 3+ | Trust: 2.2 |
| vendor: | gopro | model: | hero 3+ | scope: | - | version: | - | Trust: 0.7 |
| vendor: | gopro | model: | hero | scope: | eq | version: | 3+0 | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-78 | Trust: 1.9 |
THREAT TYPE
remote
Trust: 0.6
TYPE
operating system commend injection
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | Top Page | url: | http://jp.gopro.com/ | Trust: 0.8 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2014-6434 | Trust: 4.1 |
| db: | ZDI | id: | ZDI-14-348 | Trust: 4.1 |
| db: | BID | id: | 70250 | Trust: 1.0 |
| db: | JVNDB | id: | JVNDB-2014-004602 | Trust: 0.8 |
| db: | ZDI_CAN | id: | ZDI-CAN-2168 | Trust: 0.7 |
| db: | CNVD | id: | CNVD-2014-06580 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-201410-139 | Trust: 0.6 |
| db: | VULHUB | id: | VHN-74378 | Trust: 0.1 |
REFERENCES
| url: | http://www.zerodayinitiative.com/advisories/zdi-14-348/ | Trust: 3.4 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6434 | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-6434 | Trust: 0.8 |
| url: | http://shop.gopro.com/cameras | Trust: 0.3 |
CREDITS
Brian Gorenc - HP Zero Day Initiative
Trust: 1.0
SOURCES
| db: | ZDI | id: | ZDI-14-348 |
| db: | CNVD | id: | CNVD-2014-06580 |
| db: | VULHUB | id: | VHN-74378 |
| db: | BID | id: | 70250 |
| db: | JVNDB | id: | JVNDB-2014-004602 |
| db: | CNNVD | id: | CNNVD-201410-139 |
| db: | NVD | id: | CVE-2014-6434 |
LAST UPDATE DATE
2025-04-13T23:42:06.373000+00:00
SOURCES UPDATE DATE
| db: | ZDI | id: | ZDI-14-348 | date: | 2014-10-02T00:00:00 |
| db: | CNVD | id: | CNVD-2014-06580 | date: | 2014-10-10T00:00:00 |
| db: | VULHUB | id: | VHN-74378 | date: | 2014-10-08T00:00:00 |
| db: | BID | id: | 70250 | date: | 2014-10-02T00:00:00 |
| db: | JVNDB | id: | JVNDB-2014-004602 | date: | 2014-10-09T00:00:00 |
| db: | CNNVD | id: | CNNVD-201410-139 | date: | 2014-10-16T00:00:00 |
| db: | NVD | id: | CVE-2014-6434 | date: | 2025-04-12T10:46:40.837 |
SOURCES RELEASE DATE
| db: | ZDI | id: | ZDI-14-348 | date: | 2014-10-02T00:00:00 |
| db: | CNVD | id: | CNVD-2014-06580 | date: | 2014-10-10T00:00:00 |
| db: | VULHUB | id: | VHN-74378 | date: | 2014-10-07T00:00:00 |
| db: | BID | id: | 70250 | date: | 2014-10-02T00:00:00 |
| db: | JVNDB | id: | JVNDB-2014-004602 | date: | 2014-10-09T00:00:00 |
| db: | CNNVD | id: | CNNVD-201410-139 | date: | 2014-10-14T00:00:00 |
| db: | NVD | id: | CVE-2014-6434 | date: | 2014-10-07T14:55:06.907 |