Business Logic Errors in Several Huawei products
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-22398 |
| CWE-ID | CWE-840 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Hulk-AL00C Hardware solutions / Firmware Jennifer-AN00C Hardware solutions / Firmware Jenny-AL10B Hardware solutions / Firmware OxfordPL-AN10B Hardware solutions / Firmware |
| Vendor | Huawei |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Business Logic Errors
EUVDB-ID: #VU54880
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-22398
CWE-ID:
CWE-840 - Business Logic Errors (3.0)
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to the affected software does not properly restrict certain operation when the Digital Balance function is on. A local attacker can bypass the Digital Balance limit after a series of operations.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHulk-AL00C: 9.1.1.201(C00E201R8P1)
Jennifer-AN00C: 10.1.1.171(C00E170R6P3)
Jenny-AL10B: 10.1.0.228(C00E220R5P1)
OxfordPL-AN10B: 10.1.0.116(C00E110R2P1)
CPE2.3- cpe:2.3:h:huawei:hulk-al00c:9.1.1.201(C00E201R8P1):*:*:*:*:*:*:*
- cpe:2.3:h:huawei:jennifer-an00c:10.1.1.171(C00E170R6P3):*:*:*:*:*:*:*
- cpe:2.3:h:huawei:jenny-al10b:10.1.0.228(C00E220R5P1):*:*:*:*:*:*:*
- cpe:2.3:h:huawei:oxfordpl-an10b:10.1.0.116(C00E110R2P1):*:*:*:*:*:*:*
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210714-01-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
