Security Advisory - Path Traversal Vulnerability in Huawei Home Gateway Products

2015-11-2400:00:00

Huawei Technologies

www.huawei.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.096

Percentile

94.8%

JSON

There is a path traversal vulnerability on several Huawei home gateway products. The products do not properly validate HTTP requests received by a specific port. An remote attacker may access the local files on the device without authentication by crafting an HTTP request and sending it to the specific port. (Vulnerability ID: HWPSIRT-2015-09006)

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-7254.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
<http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-462908.htm>

Affected configurations

Vulners

Node

huaweihg532eRange<V100R001C02B017

huaweiws318_firmwareRange<V100R001C01B022

huaweiws550-10_firmwareRange<V100R001C01B019

VendorProductVersionCPE
huaweihg532e*cpe:2.3:h:huawei:hg532e:*:*:*:*:*:*:*:*
huaweiws318_firmware*cpe:2.3:o:huawei:ws318_firmware:*:*:*:*:*:*:*:*
huaweiws550-10_firmware*cpe:2.3:a:huawei:ws550-10_firmware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
huawei	hg532e	*	cpe:2.3:h:huawei:hg532e::::::::
huawei	ws318_firmware	*	cpe:2.3:o:huawei:ws318_firmware::::::::
huawei	ws550-10_firmware	*	cpe:2.3:a:huawei:ws550-10_firmware::::::::