Sign-up

ID

VAR-201707-0330


CVE

CVE-2017-2238


TITLE

Cross-site request forgery vulnerability in Toshiba Lighting & Technology Corporation Home gateway

Trust: 0.8

sources: JVNDB: JVNDB-2017-000151

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier and Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.The user may be tricked to perform unintended operation on the device. A remote attacker could exploit this vulnerability to perform unauthorized operations. Exploiting the issue will allow a remote attacker to use a victim's currently active session to hijack the authentication of administrators. Successful exploits will compromise affected device

Trust: 2.61

sources: NVD: CVE-2017-2238 // JVNDB: JVNDB-2017-000151 // CNVD: CNVD-2017-12980 // BID: 99516 // VULHUB: VHN-110441 // VULMON: CVE-2017-2238

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

category:['home & office device', 'network device']sub_category:smart home device

Trust: 0.1

category:['home & office device', 'network device']sub_category:gateway

Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2017-12980

AFFECTED PRODUCTS

vendor:toshibamodel:hem-gw16ascope:lteversion:1.2.0

Trust: 1.0

vendor:toshibamodel:hem-gw26ascope:lteversion:1.2.0

Trust: 1.0

vendor:toshiba lightingmodel:home gateway hem-gw16ascope:lteversion:firmware hem-gw16a-fw-v1.2.0

Trust: 0.8

vendor:toshiba lightingmodel:home gateway hem-gw26ascope:lteversion:firmware hem-gw26a-fw-v1.2.0

Trust: 0.8

vendor:toshibamodel:home gateway hem-gw26a <=hem-gw26a-fw-v1.2.0scope: - version: -

Trust: 0.6

vendor:toshibamodel:home gateway hem-gw16a <=hem-gw16a-fw-v1.2.0scope: - version: -

Trust: 0.6

vendor:toshibamodel:hem-gw16ascope:eqversion:1.2.0

Trust: 0.6

vendor:toshibamodel:hem-gw26ascope:eqversion:1.2.0

Trust: 0.6

vendor:toshibamodel:home gateway hem-gw26a hem-gw26a-fw-v1.2.0scope: - version: -

Trust: 0.3

vendor:toshibamodel:home gateway hem-gw16a hem-gw16a-fw-v1.2.0scope: - version: -

Trust: 0.3

sources: CNVD: CNVD-2017-12980 // BID: 99516 // JVNDB: JVNDB-2017-000151 // CNNVD: CNNVD-201706-1247 // NVD: CVE-2017-2238

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2238
value: HIGH

Trust: 1.0

IPA: JVNDB-2017-000151
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-12980
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-1247
value: MEDIUM

Trust: 0.6

VULHUB: VHN-110441
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-2238
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-2238
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

IPA: JVNDB-2017-000151
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-12980
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-110441
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2238
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2017-000151
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2017-12980 // VULHUB: VHN-110441 // VULMON: CVE-2017-2238 // JVNDB: JVNDB-2017-000151 // CNNVD: CNNVD-201706-1247 // NVD: CVE-2017-2238

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-110441 // JVNDB: JVNDB-2017-000151 // NVD: CVE-2017-2238

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-1247

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201706-1247

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000151

PATCH
title:Toshiba Lighting & Technology Corporation websiteurl:http://www.tlt.co.jp/tlt/information/seihin/notice/defect/20170626/20170626.htm
Trust: 0.8
title:ToshibaHomegatewayHEM-GW16A firmware cross-site request forgery vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/97433
Trust: 0.6
title:TOSHIBA Home gateway HEM-GW26A  and HEM-GW16A Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71382
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-12980 // 
            
            
            
            JVNDB: JVNDB-2017-000151 // 
            
            
            
            CNNVD: CNNVD-201706-1247

EXTERNAL IDS
db:NVDid:CVE-2017-2238
Trust: 3.6
db:JVNid:JVN85901441
Trust: 3.5
db:JVNDBid:JVNDB-2017-000151
Trust: 1.4
db:CNNVDid:CNNVD-201706-1247
Trust: 0.7
db:CNVDid:CNVD-2017-12980
Trust: 0.6
db:BIDid:99516
Trust: 0.5
db:OTHERid:NONE
Trust: 0.1
db:VULHUBid:VHN-110441
Trust: 0.1
db:VULMONid:CVE-2017-2238
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CNVD: CNVD-2017-12980 // 
            
            
            
            VULHUB: VHN-110441 // 
            
            
            
            VULMON: CVE-2017-2238 // 
            
            
            
            BID: 99516 // 
            
            
            
            JVNDB: JVNDB-2017-000151 // 
            
            
            
            CNNVD: CNNVD-201706-1247 // 
            
            
            
            NVD: CVE-2017-2238

REFERENCES
url:http://jvn.jp/en/jp/jvn85901441/index.html
Trust: 2.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2238
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2238
Trust: 0.8
url:http://jvn.jp/en/jp/jvn85901441/
Trust: 0.6
url:http://jvndb.jvn.jp/en/contents/2017/jvndb-2017-000151.html
Trust: 0.6
url:http://www.toshiba.com/
Trust: 0.3
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
url:https://cwe.mitre.org/data/definitions/352.html
Trust: 0.1
url:https://www.securityfocus.com/bid/99516
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CNVD: CNVD-2017-12980 // 
            
            
            
            VULHUB: VHN-110441 // 
            
            
            
            VULMON: CVE-2017-2238 // 
            
            
            
            BID: 99516 // 
            
            
            
            JVNDB: JVNDB-2017-000151 // 
            
            
            
            CNNVD: CNNVD-201706-1247 // 
            
            
            
            NVD: CVE-2017-2238

CREDITS
Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc.
Trust: 0.9
sources:
            
            
            BID: 99516 // 
            
            
            
            CNNVD: CNNVD-201706-1247

SOURCES
db:OTHERid: - 
db:CNVDid:CNVD-2017-12980
db:VULHUBid:VHN-110441
db:VULMONid:CVE-2017-2238
db:BIDid:99516
db:JVNDBid:JVNDB-2017-000151
db:CNNVDid:CNNVD-201706-1247
db:NVDid:CVE-2017-2238

LAST UPDATE DATE
2025-04-20T20:34:19.318000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-12980date:2017-07-06T00:00:00
db:VULHUBid:VHN-110441date:2017-07-14T00:00:00
db:VULMONid:CVE-2017-2238date:2017-07-14T00:00:00
db:BIDid:99516date:2017-06-27T00:00:00
db:JVNDBid:JVNDB-2017-000151date:2018-02-14T00:00:00
db:CNNVDid:CNNVD-201706-1247date:2017-07-10T00:00:00
db:NVDid:CVE-2017-2238date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-12980date:2017-07-06T00:00:00
db:VULHUBid:VHN-110441date:2017-07-07T00:00:00
db:VULMONid:CVE-2017-2238date:2017-07-07T00:00:00
db:BIDid:99516date:2017-06-27T00:00:00
db:JVNDBid:JVNDB-2017-000151date:2017-06-28T00:00:00
db:CNNVDid:CNNVD-201706-1247date:2017-06-27T00:00:00
db:NVDid:CVE-2017-2238date:2017-07-07T13:29:01.350