Sign-up

ID

VAR-201803-1324


CVE

CVE-2017-17149


TITLE

Huawei HiWallet App Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012822

DESCRIPTION

Huawei HiWallet App with the versions before 8.0.4 has an arbitrary lock pattern change vulnerability. It needs to verify the user's Huawei ID during lock pattern change. An attacker with root privilege who gets a user's smart phone may bypass Huawei ID verification by special operation. Successful exploit of this vulnerability can allow an attacker to change the lock pattern of HiWallet. Huawei HiWallet App Contains an access control vulnerability.Information may be tampered with. Huawei HiWallet APP is prone to a local security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. Huawei HiWallet App is a money management (Huawei Wallet) app for mobile phones from the Chinese company Huawei (Huawei)

Trust: 1.98

sources: NVD: CVE-2017-17149 // JVNDB: JVNDB-2017-012822 // BID: 103689 // VULHUB: VHN-108142

AFFECTED PRODUCTS

vendor:huaweimodel:hiwalletscope:ltversion:8.0.4

Trust: 1.0

vendor:huaweimodel:hiwalletscope:ltversion:app 8.0.4

Trust: 0.8

vendor:huaweimodel:hiwallet appscope:eqversion:0

Trust: 0.3

vendor:huaweimodel:hiwallet appscope:neversion:8.0.4

Trust: 0.3

sources: BID: 103689 // JVNDB: JVNDB-2017-012822 // NVD: CVE-2017-17149

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-17149
value: LOW

Trust: 1.0

NVD: CVE-2017-17149
value: LOW

Trust: 0.8

CNNVD: CNNVD-201712-324
value: LOW

Trust: 0.6

VULHUB: VHN-108142
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-17149
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-108142
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-17149
baseSeverity: LOW
baseScore: 3.9
vectorString: CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 0.3
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-108142 // JVNDB: JVNDB-2017-012822 // CNNVD: CNNVD-201712-324 // NVD: CVE-2017-17149

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-108142 // JVNDB: JVNDB-2017-012822 // NVD: CVE-2017-17149

THREAT TYPE

local

Trust: 0.9

sources: BID: 103689 // CNNVD: CNNVD-201712-324

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201712-324

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012822

PATCH
title:huawei-sa-20171220-01-hiwalleturl:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-01-hiwallet-en
Trust: 0.8
title:Huawei HiWallet App Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100243
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-012822 // 
            
            
            
            CNNVD: CNNVD-201712-324

EXTERNAL IDS
db:NVDid:CVE-2017-17149
Trust: 2.8
db:JVNDBid:JVNDB-2017-012822
Trust: 0.8
db:CNNVDid:CNNVD-201712-324
Trust: 0.7
db:BIDid:103689
Trust: 0.4
db:VULHUBid:VHN-108142
Trust: 0.1
sources:
            
            
            VULHUB: VHN-108142 // 
            
            
            
            BID: 103689 // 
            
            
            
            JVNDB: JVNDB-2017-012822 // 
            
            
            
            CNNVD: CNNVD-201712-324 // 
            
            
            
            NVD: CVE-2017-17149

REFERENCES
url:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-01-hiwallet-en
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17149
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-17149
Trust: 0.8
url:http://www.huawei.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-108142 // 
            
            
            
            BID: 103689 // 
            
            
            
            JVNDB: JVNDB-2017-012822 // 
            
            
            
            CNNVD: CNNVD-201712-324 // 
            
            
            
            NVD: CVE-2017-17149

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 103689

SOURCES
db:VULHUBid:VHN-108142
db:BIDid:103689
db:JVNDBid:JVNDB-2017-012822
db:CNNVDid:CNNVD-201712-324
db:NVDid:CVE-2017-17149

LAST UPDATE DATE
2024-11-23T22:30:29.147000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-108142date:2019-10-03T00:00:00
db:BIDid:103689date:2017-12-20T00:00:00
db:JVNDBid:JVNDB-2017-012822date:2018-04-20T00:00:00
db:CNNVDid:CNNVD-201712-324date:2019-10-23T00:00:00
db:NVDid:CVE-2017-17149date:2024-11-21T03:17:35.110

SOURCES RELEASE DATE
db:VULHUBid:VHN-108142date:2018-03-09T00:00:00
db:BIDid:103689date:2017-12-20T00:00:00
db:JVNDBid:JVNDB-2017-012822date:2018-04-20T00:00:00
db:CNNVDid:CNNVD-201712-324date:2017-12-08T00:00:00
db:NVDid:CVE-2017-17149date:2018-03-09T17:29:00.533