jvndb-2021-000077
Vulnerability from jvndb
Published
2021-08-17 14:24
Modified
2021-08-17 14:24
Severity ?
6.8 (Medium) - cvssV3_0 - CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Huawei EchoLife HG8045Q vulnerable to OS command injection
Details
EchoLife HT8045Q provided by Huawei is an ONT (Optical Network Terminal) device. It is equipped with the command line interface for network operators' maintenance purpose, which is disabled by default. When the command line interface is enabled, operators can interact with a certain restricted set of commands. The command-line interface fails to process properly a certain crafted inputs, which enables some BusyBox-implemented commands executed (CWE-78).
References
JVN https://jvn.jp/en/jp/JVN41646618/index.html
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37028
NVD https://nvd.nist.gov/vuln/detail/CVE-2021-37028
OS Command Injection(CWE-78) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Impacted products
HuaweiHG8045Q
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000077.html",
  "dc:date": "2021-08-17T14:24+09:00",
  "dcterms:issued": "2021-08-17T14:24+09:00",
  "dcterms:modified": "2021-08-17T14:24+09:00",
  "description": "EchoLife HT8045Q provided by Huawei is an ONT (Optical Network Terminal) device.\r\nIt is equipped with the command line interface for network operators\u0027 maintenance purpose, which is disabled by default.\r\nWhen the command line interface is enabled, operators can interact with a certain restricted set of commands.\r\nThe command-line interface fails to process properly a certain crafted inputs, which enables some BusyBox-implemented commands executed (CWE-78).",
  "link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000077.html",
  "sec:cpe": {
    "#text": "cpe:/a:huawei:hg8045q",
    "@product": "HG8045Q",
    "@vendor": "Huawei",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "7.7",
      "@severity": "High",
      "@type": "Base",
      "@vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
      "@version": "2.0"
    },
    {
      "@score": "6.8",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2021-000077",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN41646618/index.html",
      "@id": "JVN#41646618",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37028",
      "@id": "CVE-2021-37028",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-37028",
      "@id": "CVE-2021-37028",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-78",
      "@title": "OS Command Injection(CWE-78)"
    }
  ],
  "title": "Huawei EchoLife HG8045Q vulnerable to OS command injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.