CVE-2019-5295 - OpenCVE

Huawei Honor V10 smartphones versions earlier than Berkeley-AL20 9.0.0.125(C00E125R2P14T8) have an authorization bypass vulnerability. Due to improper authorization implementation logic, attackers can bypass certain authorization scopes of smart phones by performing specific operations. This vulnerability can be exploited to perform operations beyond the scope of authorization.

No CVSS v4.0

No CVSS v3.1

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Huawei	Honor View 10 Honor View 10 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:huawei:honor_view_10_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:honor_view_10:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190131-01-phone-en

History

No history.

MITRE

Status: PUBLISHED

Assigner: huawei

Published: 2019-06-06T14:39:27

Updated: 2024-08-04T19:54:53.234Z

Reserved: 2019-01-04T00:00:00

Link: CVE-2019-5295

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-06-06T15:29:01.343

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-5295

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Honor V10", "vendor": "Huawei", "versions": [{"status": "affected", "version": "Versions earlier than Berkeley-AL20 9.0.0.125(C00E125R2P14T8)"}]}], "datePublic": "2019-01-31T00:00:00", "descriptions": [{"lang": "en", "value": "Huawei Honor V10 smartphones versions earlier than Berkeley-AL20 9.0.0.125(C00E125R2P14T8) have an authorization bypass vulnerability. Due to improper authorization implementation logic, attackers can bypass certain authorization scopes of smart phones by performing specific operations. This vulnerability can be exploited to perform operations beyond the scope of authorization."}], "problemTypes": [{"descriptions": [{"description": "authorization bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-06T14:39:27", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190131-01-phone-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2019-5295", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Honor V10", "version": {"version_data": [{"version_value": "Versions earlier than Berkeley-AL20 9.0.0.125(C00E125R2P14T8)"}]}}]}, "vendor_name": "Huawei"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Huawei Honor V10 smartphones versions earlier than Berkeley-AL20 9.0.0.125(C00E125R2P14T8) have an authorization bypass vulnerability. Due to improper authorization implementation logic, attackers can bypass certain authorization scopes of smart phones by performing specific operations. This vulnerability can be exploited to perform operations beyond the scope of authorization."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "authorization bypass"}]}]}, "references": {"reference_data": [{"name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190131-01-phone-en", "refsource": "CONFIRM", "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190131-01-phone-en"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:54:53.234Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190131-01-phone-en"}]}]}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2019-5295", "datePublished": "2019-06-06T14:39:27", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2024-08-04T19:54:53.234Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:honor_view_10_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7DF0888-0245-47D8-91A4-77B017038198", "versionEndExcluding": "berkeley-al20_9.0.0.125\\(c00e125r2p14t8\\)", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:honor_view_10:-:*:*:*:*:*:*:*", "matchCriteriaId": "E788B81C-69DB-4A13-AC70-1E17120CB82E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Huawei Honor V10 smartphones versions earlier than Berkeley-AL20 9.0.0.125(C00E125R2P14T8) have an authorization bypass vulnerability. Due to improper authorization implementation logic, attackers can bypass certain authorization scopes of smart phones by performing specific operations. This vulnerability can be exploited to perform operations beyond the scope of authorization."}, {"lang": "es", "value": "Los tel\u00e9fonos inteligentes Honor V10 de Huawei versiones anteriores a Berkeley-AL20 9.0.0.125 (C00E125R2P14T8), presentan una vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n. Debido a una l\u00f3gica de implementaci\u00f3n de autorizaci\u00f3n inapropiada, atacantes pueden omitir ciertos \u00e1mbitos de autorizaci\u00f3n de los tel\u00e9fonos inteligentes mediante la ejecuci\u00f3n de operaciones espec\u00edficas. Esta vulnerabilidad puede ser explotada para realizar operaciones m\u00e1s all\u00e1 del alcance de la autorizaci\u00f3n."}], "id": "CVE-2019-5295", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-06T15:29:01.343", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190131-01-phone-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}