Details of VAR-201711-0252

ID

VAR-201711-0252

CVE

CVE-2017-2736

TITLE

VCM5010 Command injection vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2017-010720 // CNNVD: CNNVD-201703-1399

DESCRIPTION

VCM5010 with software versions earlier before V100R002C50SPC100 has a command injection vulnerability. This is due to insufficient validation of user's input. An authenticated attacker could launch a command injection attack. VCM5010 Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. VCM5010 is a video content management platform of China Huawei, which is an integrated video big data analysis device. Huawei VCM5010 is prone to following security vulnerabilities: 1. An arbitrary file upload vulnerability 3. An authentication bypass vulnerability Attackers can exploit these issues to execute arbitrary commands, upload arbitrary files, or bypass the authentication mechanism and perform unauthorized actions. Other attacks may also be possible. Versions prior to VCM5010 V100R002C50SPC100 are vulnerable

Trust: 2.43

sources: NVD: CVE-2017-2736 // JVNDB: JVNDB-2017-010720 // CNVD: CNVD-2017-03718 // BID: 97231

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-03718

AFFECTED PRODUCTS

vendor:	huawei	model:	vcm5010	scope:	lt	version:	v100r002c50spc100	Trust: 1.8
vendor:	huawei	model:	vcm5010 <v100r002c50spc100	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	vcm5010	scope:	eq	version:	0	Trust: 0.3
vendor:	huawei	model:	vcm5010 v100r002c50spc100	scope:	ne	version:	-	Trust: 0.3

sources: CNVD: CNVD-2017-03718 // BID: 97231 // JVNDB: JVNDB-2017-010720 // NVD: CVE-2017-2736

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-2736
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-2736
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-03718
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201703-1399
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2017-2736
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-03718
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-2736
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-03718 // JVNDB: JVNDB-2017-010720 // CNNVD: CNNVD-201703-1399 // NVD: CVE-2017-2736

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.8

sources: JVNDB: JVNDB-2017-010720 // NVD: CVE-2017-2736

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1399

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201703-1399

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-010720

PATCH

title:	huawei-sa-20170329-01-vcm	url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-vcm-en	Trust: 0.8
title:	HuaweiVCM5010 command injection vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/91331	Trust: 0.6
title:	Huawei VCM5010 Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68897	Trust: 0.6

sources: CNVD: CNVD-2017-03718 // JVNDB: JVNDB-2017-010720 // CNNVD: CNNVD-201703-1399

EXTERNAL IDS

db:	NVD	id:	CVE-2017-2736	Trust: 3.3
db:	BID	id:	97231	Trust: 1.9
db:	JVNDB	id:	JVNDB-2017-010720	Trust: 0.8
db:	CNVD	id:	CNVD-2017-03718	Trust: 0.6
db:	CNNVD	id:	CNNVD-201703-1399	Trust: 0.6

sources: CNVD: CNVD-2017-03718 // BID: 97231 // JVNDB: JVNDB-2017-010720 // CNNVD: CNNVD-201703-1399 // NVD: CVE-2017-2736

REFERENCES

url:	http://www.securityfocus.com/bid/97231	Trust: 1.6
url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-vcm-en	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2736	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2736	Trust: 0.8
url:	http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170329-01-vcm-cn	Trust: 0.6
url:	http://www.huawei.com/en/	Trust: 0.3
url:	http://e.huawei.com/en/products/enterprise-networking/video-surveillance/intelligent-cloud/vcm5010	Trust: 0.3
url:	http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170329-01-vcm-en	Trust: 0.3

sources: CNVD: CNVD-2017-03718 // BID: 97231 // JVNDB: JVNDB-2017-010720 // CNNVD: CNNVD-201703-1399 // NVD: CVE-2017-2736

CREDITS

Huawei

Trust: 0.9

sources: BID: 97231 // CNNVD: CNNVD-201703-1399

SOURCES

db:	CNVD	id:	CNVD-2017-03718
db:	BID	id:	97231
db:	JVNDB	id:	JVNDB-2017-010720
db:	CNNVD	id:	CNNVD-201703-1399
db:	NVD	id:	CVE-2017-2736

LAST UPDATE DATE

2025-04-20T23:19:45.119000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-03718	date:	2017-03-31T00:00:00
db:	BID	id:	97231	date:	2017-04-04T00:02:00
db:	JVNDB	id:	JVNDB-2017-010720	date:	2017-12-21T00:00:00
db:	CNNVD	id:	CNNVD-201703-1399	date:	2017-03-31T00:00:00
db:	NVD	id:	CVE-2017-2736	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-03718	date:	2017-03-31T00:00:00
db:	BID	id:	97231	date:	2017-03-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-010720	date:	2017-12-21T00:00:00
db:	CNNVD	id:	CNNVD-201703-1399	date:	2017-03-31T00:00:00
db:	NVD	id:	CVE-2017-2736	date:	2017-11-22T19:29:01.960