Sign-up

ID

VAR-201705-3459


CVE

CVE-2017-2162


TITLE

FlashAir do not set credential information in PhotoShare

Trust: 0.8

sources: JVNDB: JVNDB-2017-000091

DESCRIPTION

FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 and earlier and FlashAirTM SDHC Memory Card (SD-WD/WC Series <W-02>) V2.00.04 and earlier allows default credentials to be set for wireless LAN connections to the product when enabling the PhotoShare function through a web browser. When enabling PhotoShare with a mobile application (either for Android or iOS), the application prompts a user to set credentials. As a result, a remote attacker with access to the wireless LAN may obtain image data by using default credentials (CWE-284). Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If PhotoShare is enabled by web browsers, an attacker with access to the wireless LAN may obtain image data. There is a security hole in FlashAirSDHCMemoryCard

Trust: 2.16

sources: NVD: CVE-2017-2162 // JVNDB: JVNDB-2017-000091 // CNVD: CNVD-2017-07254

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-07254

AFFECTED PRODUCTS

vendor:toshibamodel:flashairscope:lteversion:2.00.04

Trust: 1.0

vendor:toshibamodel:flashairscope:lteversion:3.00.02

Trust: 1.0

vendor:toshibamodel:flashairscope:lteversion:sdhc memory card (sd-wd/wc series <w-02>) v2.00.03

Trust: 0.8

vendor:toshibamodel:flashairscope:lteversion:sdhc memory card (sd-we series <w-03>) v3.00.01

Trust: 0.8

vendor:toshibamodel:flashair sdhc memory cardscope:lteversion:<=v2.00.04

Trust: 0.6

vendor:toshibamodel:flashair sdhc memory cardscope:lteversion:<=v3.00.02

Trust: 0.6

vendor:toshibamodel:flashairscope:eqversion:3.00.02

Trust: 0.6

vendor:toshibamodel:flashairscope:eqversion:2.00.04

Trust: 0.6

sources: CNVD: CNVD-2017-07254 // JVNDB: JVNDB-2017-000091 // CNNVD: CNNVD-201705-770 // NVD: CVE-2017-2162

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2162
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2017-000091
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-07254
value: LOW

Trust: 0.6

CNNVD: CNNVD-201705-770
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2017-2162
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2017-000091
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-07254
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-2162
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 1.0

IPA: JVNDB-2017-000091
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2017-07254 // JVNDB: JVNDB-2017-000091 // CNNVD: CNNVD-201705-770 // NVD: CVE-2017-2162

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2017-000091 // NVD: CVE-2017-2162

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201705-770

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201705-770

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000091

PATCH
title:How to Use the Photoshare functionurl:http://www.toshiba-personalstorage.net/support/manual/flashair/wewdwc/photoshare.htm
Trust: 0.8
title:Photoshare of FlashAir may have a security vulnerability to a fixed passwordurl:http://www.toshiba-personalstorage.net/news/20170516a.htm
Trust: 0.8
title:SDHC Memory Card with embedded wireless LAN functionality FlashAir (SD-WD/WC series<W-02>)url:http://www.toshiba-personalstorage.net/endproduct/flashair/index_j.htm
Trust: 0.8
title:SDHC Memory Card with embedded wireless LAN functionality FlashAir (SD-WE series<W-03>)url:http://www.toshiba-personalstorage.net/product/flashair/index_j.htm
Trust: 0.8
title:Patch for FlashAirSDHCMemoryCard Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/94141
Trust: 0.6
title:Toshiba FlashAirTM SDHC Memory Card Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70339
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-07254 // 
            
            
            
            JVNDB: JVNDB-2017-000091 // 
            
            
            
            CNNVD: CNNVD-201705-770

EXTERNAL IDS
db:JVNDBid:JVNDB-2017-000091
Trust: 3.0
db:NVDid:CVE-2017-2162
Trust: 3.0
db:JVNid:JVN81820501
Trust: 2.4
db:CNVDid:CNVD-2017-07254
Trust: 0.6
db:CNNVDid:CNNVD-201705-770
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-07254 // 
            
            
            
            JVNDB: JVNDB-2017-000091 // 
            
            
            
            CNNVD: CNNVD-201705-770 // 
            
            
            
            NVD: CVE-2017-2162

REFERENCES
url:https://jvn.jp/en/jp/jvn81820501/index.html
Trust: 2.4
url:http://jvndb.jvn.jp/jvndb/jvndb-2017-000091
Trust: 2.2
url:http://www.toshiba-personalstorage.net/news/20170516a.htm
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2162
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2162
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2017-07254 // 
            
            
            
            JVNDB: JVNDB-2017-000091 // 
            
            
            
            CNNVD: CNNVD-201705-770 // 
            
            
            
            NVD: CVE-2017-2162

SOURCES
db:CNVDid:CNVD-2017-07254
db:JVNDBid:JVNDB-2017-000091
db:CNNVDid:CNNVD-201705-770
db:NVDid:CVE-2017-2162

LAST UPDATE DATE
2025-04-20T23:36:54.534000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-07254date:2017-05-23T00:00:00
db:JVNDBid:JVNDB-2017-000091date:2017-12-21T00:00:00
db:CNNVDid:CNNVD-201705-770date:2019-10-23T00:00:00
db:NVDid:CVE-2017-2162date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-07254date:2017-05-23T00:00:00
db:JVNDBid:JVNDB-2017-000091date:2017-05-16T00:00:00
db:CNNVDid:CNNVD-201705-770date:2017-05-17T00:00:00
db:NVDid:CVE-2017-2162date:2017-05-22T16:29:00.607