Details of VAR-201802-1276

ID

VAR-201802-1276

CVE

CVE-2018-7296

TITLE

eQ-3 AG Homematic CCU2 Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2018-002348

DESCRIPTION

Directory Traversal / Arbitrary File Read in User.getLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to read the first line of an arbitrary file on the CCU2's filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. eQ-3 AG Homematic CCU2 Contains an information disclosure vulnerability.Information may be obtained. The eQ-3AGHomematicCCU2 is a central control unit for the German eQ-3 company that controls smart home devices. A directory traversal vulnerability exists in the User.getLanguage method in eQ-3AGHomematicCCU22.29.2 and earlier

Trust: 2.25

sources: NVD: CVE-2018-7296 // JVNDB: JVNDB-2018-002348 // CNVD: CNVD-2018-05832 // VULHUB: VHN-137328

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-05832

AFFECTED PRODUCTS

vendor:	eq 3	model:	homematic central control unit ccu2	scope:	lte	version:	2.29.22	Trust: 1.0
vendor:	eq 3	model:	homematic zentrale ccu2	scope:	lte	version:	2.29.2	Trust: 0.8
vendor:	eq 3	model:	ag homematic ccu2	scope:	lte	version:	<=2.29.22	Trust: 0.6
vendor:	eq 3	model:	homematic central control unit ccu2	scope:	eq	version:	2.29.22	Trust: 0.6

sources: CNVD: CNVD-2018-05832 // JVNDB: JVNDB-2018-002348 // CNNVD: CNNVD-201802-557 // NVD: CVE-2018-7296

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7296
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-7296
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-05832
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201802-557
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-137328
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-7296
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-05832
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-137328
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-7296
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-05832 // VULHUB: VHN-137328 // JVNDB: JVNDB-2018-002348 // CNNVD: CNNVD-201802-557 // NVD: CVE-2018-7296

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	CWE-200	Trust: 0.9

sources: VULHUB: VHN-137328 // JVNDB: JVNDB-2018-002348 // NVD: CVE-2018-7296

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201802-557

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201802-557

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-002348

PATCH

title:

HomeMatic Zentrale CCU2

url:

http://www.eq-3.de/produkte/homematic/zentralen-und-gateways/homematic-zentrale-ccu-2.html

Trust: 0.8

sources: JVNDB: JVNDB-2018-002348

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7296	Trust: 3.1
db:	JVNDB	id:	JVNDB-2018-002348	Trust: 0.8
db:	CNVD	id:	CNVD-2018-05832	Trust: 0.6
db:	CNNVD	id:	CNNVD-201802-557	Trust: 0.6
db:	VULHUB	id:	VHN-137328	Trust: 0.1

sources: CNVD: CNVD-2018-05832 // VULHUB: VHN-137328 // JVNDB: JVNDB-2018-002348 // CNNVD: CNNVD-201802-557 // NVD: CVE-2018-7296

REFERENCES

url:	http://atomic111.github.io/article/homematic-ccu2-fileread	Trust: 3.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7296	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-7296	Trust: 0.8

sources: CNVD: CNVD-2018-05832 // VULHUB: VHN-137328 // JVNDB: JVNDB-2018-002348 // CNNVD: CNNVD-201802-557 // NVD: CVE-2018-7296

SOURCES

db:	CNVD	id:	CNVD-2018-05832
db:	VULHUB	id:	VHN-137328
db:	JVNDB	id:	JVNDB-2018-002348
db:	CNNVD	id:	CNNVD-201802-557
db:	NVD	id:	CVE-2018-7296

LAST UPDATE DATE

2024-11-23T22:38:16.005000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-05832	date:	2018-03-21T00:00:00
db:	VULHUB	id:	VHN-137328	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-002348	date:	2018-04-10T00:00:00
db:	CNNVD	id:	CNNVD-201802-557	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-7296	date:	2024-11-21T04:11:57.297

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-05832	date:	2018-03-21T00:00:00
db:	VULHUB	id:	VHN-137328	date:	2018-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2018-002348	date:	2018-04-10T00:00:00
db:	CNNVD	id:	CNNVD-201802-557	date:	2018-03-06T00:00:00
db:	NVD	id:	CVE-2018-7296	date:	2018-02-22T19:29:04.530