Path traversal in several Huawei Smartphones
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-5251 |
| CWE-ID | CWE-22 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Huawei Honor V10 Client/Desktop applications / Multimedia software P30 Client/Desktop applications / Multimedia software Huawei Enjoy 7S Client/Desktop applications / Multimedia software Huawei Mate 20 Client/Desktop applications / Multimedia software Huawei Honor 9 Lite Client/Desktop applications / Multimedia software Huawei Honor 9i Client/Desktop applications / Multimedia software Huawei M6 Client/Desktop applications / Multimedia software P30 Pro Client/Desktop applications / Multimedia software Huawei Honor 20s Client/Desktop applications / Multimedia software |
| Vendor | Huawei |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Path traversal
EUVDB-ID: #VU23412
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-5251
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A local attacker can trick the victim to install, backup up and restore a malicious application and read arbitrary files on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei Honor V10: All versions
P30: All versions
Huawei Enjoy 7S: All versions
Huawei Mate 20: All versions
Huawei Honor 9 Lite: All versions
Huawei Honor 9i: All versions
Huawei M6: All versions
P30 Pro: All versions
Huawei Honor 20s: All versions
CPE2.3- cpe:2.3:a:huawei:huawei_honor_v10:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:p30:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:huawei_enjoy_7s:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:huawei_mate_20:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:huawei_honor_9_lite:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:huawei_honor_9i:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:huawei_m6:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:p30_pro:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:huawei_honor_20s:*:*:*:*:*:*:*:*
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191204-03-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
