Sign-up

ID

VAR-201606-0055


CVE

CVE-2016-5722


TITLE

OceanStor Vulnerable to replay attacks

Trust: 0.8

sources: JVNDB: JVNDB-2016-003328

DESCRIPTION

Huawei OceanStor 5300 V3, 5500 V3, 5600 V3, 5800 V3, 6800 V3, 18800 V3, and 18500 V3 before V300R003C10 sends the plaintext session token in the HTTP header, which allows remote attackers to conduct replay attacks and obtain sensitive information by sniffing the network. OceanStor Is HTTP Replay attack to send clear session token in header ( Replay attack ) There are vulnerabilities that can be executed and get important information.A replay attack by intercepting the network by a third party ( Replay attack ) May be executed and important information may be obtained. Huawei OceanStor 5300 and other storage products are all Huawei's Huawei products. A security vulnerability exists in several HuaweiOceanStor products. The vulnerability stems from the fact that the program sends a clear text session token in the HTTP header. A remote attacker can exploit the vulnerability by sniffing the network to implement replay attacks and obtain sensitive information. This may lead to other attacks. The following products and versions are affected: Huawei OceanStor 5300 V3, 5500 V3, 5600 V3, 5800 V3, 6800 V3, 18800 V3, and V3 versions earlier than 18500 V300R003C10

Trust: 2.52

sources: NVD: CVE-2016-5722 // JVNDB: JVNDB-2016-003328 // CNVD: CNVD-2016-04381 // BID: 91472 // VULHUB: VHN-94541

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-04381

AFFECTED PRODUCTS

vendor:huaweimodel:ocean storscope:lteversion:v300r002c10spc200

Trust: 1.0

vendor:huaweimodel:ocean storscope:lteversion:v300r003c00spc100

Trust: 1.0

vendor:huaweimodel:oceanstor 5300 v3scope: - version: -

Trust: 0.8

vendor:huaweimodel:oceanstor 5500 v3scope: - version: -

Trust: 0.8

vendor:huaweimodel:oceanstor 5600 v3scope: - version: -

Trust: 0.8

vendor:huaweimodel:oceanstor 5800 v3scope: - version: -

Trust: 0.8

vendor:huaweimodel:oceanstor 6800 v3scope: - version: -

Trust: 0.8

vendor:huaweimodel:oceanstor oceanstor 18500 v3scope: - version: -

Trust: 0.8

vendor:huaweimodel:oceanstor oceanstor 18800 v3scope: - version: -

Trust: 0.8

vendor:huaweimodel:oceanstorscope:ltversion:v300r003c10

Trust: 0.8

vendor:huaweimodel:oceanstor v300r003c00spc100scope:eqversion:5300

Trust: 0.6

vendor:huaweimodel:oceanstor <=v300r002c10spc200scope:eqversion:5300v3

Trust: 0.6

vendor:huaweimodel:oceanstor v300r003c00spc100scope:eqversion:5500v3

Trust: 0.6

vendor:huaweimodel:oceanstor <=v300r002c10spc200scope:eqversion:5500v3

Trust: 0.6

vendor:huaweimodel:oceanstor v300r003c00spc100scope:eqversion:5600v3

Trust: 0.6

vendor:huaweimodel:oceanstor <=v300r002c10spc200scope:eqversion:5600v3

Trust: 0.6

vendor:huaweimodel:oceanstor v300r003c00spc100scope:eqversion:5800v3

Trust: 0.6

vendor:huaweimodel:oceanstor <=v300r002c10spc200scope:eqversion:5800v3

Trust: 0.6

vendor:huaweimodel:oceanstor v300r003c00spc100scope:eqversion:6800v3

Trust: 0.6

vendor:huaweimodel:oceanstor v300r003c00spc100scope:eqversion:18800v3

Trust: 0.6

vendor:huaweimodel:oceanstor v300r003c00spc100scope:eqversion:18500v3

Trust: 0.6

vendor:huaweimodel:ocean stor 18500 v3scope:eqversion: -

Trust: 0.6

vendor:huaweimodel:ocean stor 5600 v3scope:eqversion: -

Trust: 0.6

vendor:huaweimodel:ocean stor 5800 v3scope:eqversion: -

Trust: 0.6

vendor:huaweimodel:ocean stor 5300 v3scope:eqversion: -

Trust: 0.6

vendor:huaweimodel:ocean stor 5500 v3scope:eqversion: -

Trust: 0.6

vendor:huaweimodel:ocean stor 6800 v3scope:eqversion: -

Trust: 0.6

vendor:huaweimodel:ocean stor 18800 v3scope:eqversion: -

Trust: 0.6

sources: CNVD: CNVD-2016-04381 // JVNDB: JVNDB-2016-003328 // CNNVD: CNNVD-201606-576 // NVD: CVE-2016-5722

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5722
value: HIGH

Trust: 1.0

NVD: CVE-2016-5722
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-04381
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201606-576
value: HIGH

Trust: 0.6

VULHUB: VHN-94541
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-5722
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-04381
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-94541
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-5722
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 3.4
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2016-04381 // VULHUB: VHN-94541 // JVNDB: JVNDB-2016-003328 // CNNVD: CNNVD-201606-576 // NVD: CVE-2016-5722

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-94541 // JVNDB: JVNDB-2016-003328 // NVD: CVE-2016-5722

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201606-576

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201606-576

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-003328

PATCH
title:huawei-sa-20160615-01-oceanstorurl:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160615-01-oceanstor-en
Trust: 0.8
title:Patches for the transmission of tokens in plaintext transmissions of various HuaweiOceanStor productsurl:https://www.cnvd.org.cn/patchInfo/show/78296
Trust: 0.6
title:Multiple Huawei OceanStor Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62492
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-04381 // 
            
            
            
            JVNDB: JVNDB-2016-003328 // 
            
            
            
            CNNVD: CNNVD-201606-576

EXTERNAL IDS
db:NVDid:CVE-2016-5722
Trust: 3.4
db:JVNDBid:JVNDB-2016-003328
Trust: 0.8
db:CNNVDid:CNNVD-201606-576
Trust: 0.7
db:CNVDid:CNVD-2016-04381
Trust: 0.6
db:BIDid:91472
Trust: 0.3
db:VULHUBid:VHN-94541
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-04381 // 
            
            
            
            VULHUB: VHN-94541 // 
            
            
            
            BID: 91472 // 
            
            
            
            JVNDB: JVNDB-2016-003328 // 
            
            
            
            CNNVD: CNNVD-201606-576 // 
            
            
            
            NVD: CVE-2016-5722

REFERENCES
url:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160615-01-oceanstor-en
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5722
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-5722
Trust: 0.8
url:http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20160615-01-oceanstor-cn
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-04381 // 
            
            
            
            VULHUB: VHN-94541 // 
            
            
            
            JVNDB: JVNDB-2016-003328 // 
            
            
            
            CNNVD: CNNVD-201606-576 // 
            
            
            
            NVD: CVE-2016-5722

CREDITS
The vendor reported the issue.
Trust: 0.3
sources:
            
            
            BID: 91472

SOURCES
db:CNVDid:CNVD-2016-04381
db:VULHUBid:VHN-94541
db:BIDid:91472
db:JVNDBid:JVNDB-2016-003328
db:CNNVDid:CNNVD-201606-576
db:NVDid:CVE-2016-5722

LAST UPDATE DATE
2025-04-13T23:27:25.764000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-04381date:2016-06-30T00:00:00
db:VULHUBid:VHN-94541date:2016-09-29T00:00:00
db:BIDid:91472date:2016-07-06T15:06:00
db:JVNDBid:JVNDB-2016-003328date:2016-06-28T00:00:00
db:CNNVDid:CNNVD-201606-576date:2016-06-27T00:00:00
db:NVDid:CVE-2016-5722date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-04381date:2016-06-30T00:00:00
db:VULHUBid:VHN-94541date:2016-06-24T00:00:00
db:BIDid:91472date:2016-06-28T00:00:00
db:JVNDBid:JVNDB-2016-003328date:2016-06-28T00:00:00
db:CNNVDid:CNNVD-201606-576date:2016-06-27T00:00:00
db:NVDid:CVE-2016-5722date:2016-06-24T17:59:04.597