Sign-up

ID

VAR-201711-0254


CVE

CVE-2017-2738


TITLE

VCM5010 Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-010722

DESCRIPTION

VCM5010 with software versions earlier before V100R002C50SPC100 has an authentication bypass vulnerability. This is due to improper implementation of authentication for accessing web pages. An unauthenticated attacker could bypass the authentication by sending a crafted HTTP request. 5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system. VCM5010 Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. VCM5010 is a video content management platform of China Huawei, which is an integrated video big data analysis device. Huawei VCM5010 is prone to following security vulnerabilities: 1. A remote command injection vulnerability 2. An authentication bypass vulnerability Attackers can exploit these issues to execute arbitrary commands, upload arbitrary files, or bypass the authentication mechanism and perform unauthorized actions. Other attacks may also be possible. Versions prior to VCM5010 V100R002C50SPC100 are vulnerable

Trust: 2.43

sources: NVD: CVE-2017-2738 // JVNDB: JVNDB-2017-010722 // CNVD: CNVD-2017-03716 // BID: 97231

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-03716

AFFECTED PRODUCTS

vendor:huaweimodel:vcm5010scope:ltversion:v100r002c50spc100

Trust: 1.8

vendor:huaweimodel:vcm5010 <v100r002c50spc100scope: - version: -

Trust: 0.6

vendor:huaweimodel:vcm5010scope:eqversion:0

Trust: 0.3

vendor:huaweimodel:vcm5010 v100r002c50spc100scope:neversion: -

Trust: 0.3

sources: CNVD: CNVD-2017-03716 // BID: 97231 // JVNDB: JVNDB-2017-010722 // NVD: CVE-2017-2738

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2738
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-2738
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2017-03716
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201703-1401
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2017-2738
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-03716
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-2738
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-03716 // JVNDB: JVNDB-2017-010722 // CNNVD: CNNVD-201703-1401 // NVD: CVE-2017-2738

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2017-010722 // NVD: CVE-2017-2738

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1401

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201703-1401

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-010722

PATCH
title:huawei-sa-20170329-01-vcmurl:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-vcm-en
Trust: 0.8
title:HuaweiVCM5010 authentication bypasses the patch for the vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/91332
Trust: 0.6
title:Huawei VCM5010 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68899
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-03716 // 
            
            
            
            JVNDB: JVNDB-2017-010722 // 
            
            
            
            CNNVD: CNNVD-201703-1401

EXTERNAL IDS
db:NVDid:CVE-2017-2738
Trust: 3.3
db:BIDid:97231
Trust: 1.9
db:JVNDBid:JVNDB-2017-010722
Trust: 0.8
db:CNVDid:CNVD-2017-03716
Trust: 0.6
db:CNNVDid:CNNVD-201703-1401
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-03716 // 
            
            
            
            BID: 97231 // 
            
            
            
            JVNDB: JVNDB-2017-010722 // 
            
            
            
            CNNVD: CNNVD-201703-1401 // 
            
            
            
            NVD: CVE-2017-2738

REFERENCES
url:http://www.securityfocus.com/bid/97231
Trust: 1.6
url:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-vcm-en
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2738
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2738
Trust: 0.8
url:http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170329-01-vcm-cn
Trust: 0.6
url:http://www.huawei.com/en/
Trust: 0.3
url:http://e.huawei.com/en/products/enterprise-networking/video-surveillance/intelligent-cloud/vcm5010
Trust: 0.3
url:http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170329-01-vcm-en
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-03716 // 
            
            
            
            BID: 97231 // 
            
            
            
            JVNDB: JVNDB-2017-010722 // 
            
            
            
            CNNVD: CNNVD-201703-1401 // 
            
            
            
            NVD: CVE-2017-2738

CREDITS
Huawei
Trust: 0.9
sources:
            
            
            BID: 97231 // 
            
            
            
            CNNVD: CNNVD-201703-1401

SOURCES
db:CNVDid:CNVD-2017-03716
db:BIDid:97231
db:JVNDBid:JVNDB-2017-010722
db:CNNVDid:CNNVD-201703-1401
db:NVDid:CVE-2017-2738

LAST UPDATE DATE
2025-04-20T23:19:45.087000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-03716date:2017-03-31T00:00:00
db:BIDid:97231date:2017-04-04T00:02:00
db:JVNDBid:JVNDB-2017-010722date:2017-12-21T00:00:00
db:CNNVDid:CNNVD-201703-1401date:2017-03-31T00:00:00
db:NVDid:CVE-2017-2738date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-03716date:2017-03-31T00:00:00
db:BIDid:97231date:2017-03-29T00:00:00
db:JVNDBid:JVNDB-2017-010722date:2017-12-21T00:00:00
db:CNNVDid:CNNVD-201703-1401date:2017-03-31T00:00:00
db:NVDid:CVE-2017-2738date:2017-11-22T19:29:02.020