Path traversal in several Huawei Smartphones



Published: 2019-12-05
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-5251
CWE-ID CWE-22
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Huawei Honor V10
Client/Desktop applications / Multimedia software

P30
Client/Desktop applications / Multimedia software

Huawei Enjoy 7S
Client/Desktop applications / Multimedia software

Huawei Mate 20
Client/Desktop applications / Multimedia software

Huawei Honor 9 Lite
Client/Desktop applications / Multimedia software

Huawei Honor 9i
Client/Desktop applications / Multimedia software

Huawei M6
Client/Desktop applications / Multimedia software

P30 Pro
Client/Desktop applications / Multimedia software

Huawei Honor 20s
Client/Desktop applications / Multimedia software

Vendor Huawei

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Path traversal

EUVDB-ID: #VU23412

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-5251

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a local attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A local attacker can trick the victim to install, backup up and restore a malicious application and read arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Huawei Honor V10: before 9.1.0.333

P30: before 9.1.0.226

Huawei Enjoy 7S: before 9.1.0.226

Huawei Mate 20: before 9.1.0.139

Huawei Honor 9 Lite: before 9.1.0.143

Huawei Honor 9i: before 9.1.0.120

Huawei M6: before 9.1.1.150

P30 Pro: before 9.1.0.226

Huawei Honor 20s: before 9.1.1.132


CPE2.3 External links

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191204-03-smartphone-en

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###