Main Vulnerability Database Vulnerabilities #VU14091

#VU14091 HTTP header injection in SmartThings Hub STH-ETH-250 - CVE-2018-3911

Published: July 30, 2018

Vulnerability identifier: #VU14091

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-3911

CWE-ID: CWE-113

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SmartThings Hub STH-ETH-250

Software vendor:
Samsung

Description

The vulnerability allows a remote attacker to inject HTTP header on the target system.

The weakness exists in the remote servers of Samsung SmartThings Hub due to the hubCore process listens on port 39500 and relays any unauthenticated message to SmartThings' remote servers, which insecurely handle JSON messages. A remote attacker can send an HTTP request and cause partially controlled requests to be generated toward the internal video-core process.

Remediation

Install update from vendor's website.

External links

https://www.talosintelligence.com/reports/TALOS-2018-0578/

#VU14091 HTTP header injection in SmartThings Hub STH-ETH-250 - CVE-2018-3911

Description

Remediation

External links

Please verify you're human