Details of VAR-201810-1151

ID

VAR-201810-1151

CVE

CVE-2018-7111

TITLE

HPE UIoT Vulnerabilities in authorization, authority and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-013632

DESCRIPTION

A remote unauthorized access vulnerability was identified in HPE UIoT versions 1.5, 1.4.0, 1.4.1, 1.4.2, 1.2.4.2. Specifically, there is a malfunction identified in some section of the DSM portal and some DSM APIs. The impact of the malfunction is that the info can be changed by other users. HPE UIoT is a universal IoT platform from Hewlett Packard Enterprise (HPE). The platform has functions such as data analysis, currency security and synchronization management. A remote attacker could use this vulnerability to change other user information. The following versions are affected: HPE UIoT 1.5 version, 1.4.0 version, 1.4.1 version, 1.4.2 version, 1.2.4.2 version. HP UIoT is prone to an unauthorized-access vulnerability. Successful exploits may allow an attacker to obtain sensitive information or gain unauthorized administrative access. This may aid in further attacks

Trust: 2.97

sources: NVD: CVE-2018-7111 // JVNDB: JVNDB-2018-013632 // CNVD: CNVD-2019-24254 // CNNVD: CNNVD-201810-1017 // BID: 105704

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-24254

AFFECTED PRODUCTS

vendor:	hp	model:	universal internet of things	scope:	eq	version:	1.4.0	Trust: 1.0
vendor:	hp	model:	universal internet of things	scope:	eq	version:	1.4.2	Trust: 1.0
vendor:	hp	model:	universal internet of things	scope:	eq	version:	1.5	Trust: 1.0
vendor:	hp	model:	universal internet of things	scope:	eq	version:	1.4.1	Trust: 1.0
vendor:	hp	model:	universal internet of things	scope:	eq	version:	1.2.4.2	Trust: 1.0
vendor:	hewlett packard	model:	hpe uiot	scope:	eq	version:	1.2.4.2	Trust: 0.8
vendor:	hewlett packard	model:	hpe uiot	scope:	eq	version:	1.4.0	Trust: 0.8
vendor:	hewlett packard	model:	hpe uiot	scope:	eq	version:	1.4.1	Trust: 0.8
vendor:	hewlett packard	model:	hpe uiot	scope:	eq	version:	1.4.2	Trust: 0.8
vendor:	hewlett packard	model:	hpe uiot	scope:	eq	version:	1.5	Trust: 0.8
vendor:	hpe	model:	uiot	scope:	eq	version:	1.5	Trust: 0.6
vendor:	hpe	model:	uiot	scope:	eq	version:	1.4.0	Trust: 0.6
vendor:	hpe	model:	uiot	scope:	eq	version:	1.4.1	Trust: 0.6
vendor:	hpe	model:	uiot	scope:	eq	version:	1.4.2	Trust: 0.6
vendor:	hpe	model:	uiot	scope:	eq	version:	1.2.4.2	Trust: 0.6
vendor:	hpe	model:	universal internet of things	scope:	eq	version:	1.4.0	Trust: 0.6
vendor:	hpe	model:	universal internet of things	scope:	eq	version:	1.5	Trust: 0.6
vendor:	hpe	model:	universal internet of things	scope:	eq	version:	1.2.4.2	Trust: 0.6
vendor:	hpe	model:	universal internet of things	scope:	eq	version:	1.4.1	Trust: 0.6
vendor:	hpe	model:	universal internet of things	scope:	eq	version:	1.4.2	Trust: 0.6
vendor:	hp	model:	uiot	scope:	eq	version:	1.4.2	Trust: 0.3
vendor:	hp	model:	uiot	scope:	eq	version:	1.4.1	Trust: 0.3
vendor:	hp	model:	uiot	scope:	eq	version:	1.4	Trust: 0.3
vendor:	hp	model:	uiot	scope:	eq	version:	1.5	Trust: 0.3
vendor:	hp	model:	uiot	scope:	eq	version:	1.2.4.2	Trust: 0.3

sources: CNVD: CNVD-2019-24254 // BID: 105704 // JVNDB: JVNDB-2018-013632 // CNNVD: CNNVD-201810-1017 // NVD: CVE-2018-7111

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7111
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-7111
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-24254
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201810-1017
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-7111
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-24254
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-7111
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-24254 // JVNDB: JVNDB-2018-013632 // CNNVD: CNNVD-201810-1017 // NVD: CVE-2018-7111

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-264	Trust: 0.8

sources: JVNDB: JVNDB-2018-013632 // NVD: CVE-2018-7111

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1017

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201810-1017

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013632

PATCH

title:	hpesbhf03891en_us	url:	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03891en_us	Trust: 0.8
title:	Patch for HPE UIoT Unauthorized Access Vulnerability Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/171523	Trust: 0.6
title:	HPE UIoT Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86082	Trust: 0.6

sources: CNVD: CNVD-2019-24254 // JVNDB: JVNDB-2018-013632 // CNNVD: CNNVD-201810-1017

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7111	Trust: 3.3
db:	BID	id:	105704	Trust: 1.9
db:	JVNDB	id:	JVNDB-2018-013632	Trust: 0.8
db:	CNVD	id:	CNVD-2019-24254	Trust: 0.6
db:	CNNVD	id:	CNNVD-201810-1017	Trust: 0.6

sources: CNVD: CNVD-2019-24254 // BID: 105704 // JVNDB: JVNDB-2018-013632 // CNNVD: CNNVD-201810-1017 // NVD: CVE-2018-7111

REFERENCES

url:	https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03891en_us	Trust: 2.5
url:	http://www.securityfocus.com/bid/105704	Trust: 1.6
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/151691	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7111	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-7111	Trust: 0.8
url:	http://www.hp.com	Trust: 0.3

sources: CNVD: CNVD-2019-24254 // BID: 105704 // JVNDB: JVNDB-2018-013632 // CNNVD: CNNVD-201810-1017 // NVD: CVE-2018-7111

CREDITS

Trust: 0.3

sources: BID: 105704

SOURCES

db:	CNVD	id:	CNVD-2019-24254
db:	BID	id:	105704
db:	JVNDB	id:	JVNDB-2018-013632
db:	CNNVD	id:	CNNVD-201810-1017
db:	NVD	id:	CVE-2018-7111

LAST UPDATE DATE

2024-11-23T22:38:02.400000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-24254	date:	2019-07-25T00:00:00
db:	BID	id:	105704	date:	2018-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2018-013632	date:	2019-02-27T00:00:00
db:	CNNVD	id:	CNNVD-201810-1017	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-7111	date:	2024-11-21T04:11:39.657

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-24254	date:	2019-07-24T00:00:00
db:	BID	id:	105704	date:	2018-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2018-013632	date:	2019-02-27T00:00:00
db:	CNNVD	id:	CNNVD-201810-1017	date:	2018-10-18T00:00:00
db:	NVD	id:	CVE-2018-7111	date:	2018-10-17T13:29:00.723