Details of VAR-201810-0477

ID

VAR-201810-0477

CVE

CVE-2018-17890

TITLE

NUUO CMS Vulnerabilities related to code quality

Trust: 0.8

sources: JVNDB: JVNDB-2018-010888

DESCRIPTION

NUUO CMS all versions 3.1 and prior, The application uses insecure and outdated software components for functionality, which could allow arbitrary code execution. NUUO CMS Contains a code quality vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. An attacker could exploit the vulnerability to execute arbitrary code. NUUO CMS is prone to multiple remote code-execution and security-bypass vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. NUUO CMS 3.1 and prior are vulnerable

Trust: 2.61

sources: NVD: CVE-2018-17890 // JVNDB: JVNDB-2018-010888 // CNVD: CNVD-2018-21167 // BID: 105717 // IVD: e2fe539f-39ab-11e9-b7e5-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2fe539f-39ab-11e9-b7e5-000c29342cb1 // CNVD: CNVD-2018-21167

AFFECTED PRODUCTS

vendor:	nuuo	model:	cms	scope:	lte	version:	3.1	Trust: 1.8
vendor:	nuuo	model:	cms	scope:	eq	version:	3.1	Trust: 0.9
vendor:	nuuo	model:	cms	scope:	lte	version:	<=3.1	Trust: 0.6
vendor:	nuuo	model:	cms	scope:	eq	version:	3.0	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	2.9	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	2.6	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	1.3.1	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	eq	version:	2.0	Trust: 0.3
vendor:	nuuo	model:	cms	scope:	ne	version:	3.3.0.18	Trust: 0.3
vendor:	nuuo cms	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2fe539f-39ab-11e9-b7e5-000c29342cb1 // CNVD: CNVD-2018-21167 // BID: 105717 // JVNDB: JVNDB-2018-010888 // CNNVD: CNNVD-201810-665 // NVD: CVE-2018-17890

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17890
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-17890
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-21167
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201810-665
value:	CRITICAL
Trust: 0.6
IVD:	e2fe539f-39ab-11e9-b7e5-000c29342cb1
value:	CRITICAL
Trust: 0.2

nvd@nist.gov:	CVE-2018-17890
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-21167
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2fe539f-39ab-11e9-b7e5-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2018-17890
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2018-17890
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: e2fe539f-39ab-11e9-b7e5-000c29342cb1 // CNVD: CNVD-2018-21167 // JVNDB: JVNDB-2018-010888 // CNNVD: CNNVD-201810-665 // NVD: CVE-2018-17890

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-477	Trust: 1.0
problemtype:	CWE-398	Trust: 0.8

sources: JVNDB: JVNDB-2018-010888 // NVD: CVE-2018-17890

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 151260 // CNNVD: CNNVD-201810-665

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201810-665

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010888

PATCH

title:	Central Management System	url:	https://www.nuuo.com/ProductNode.php?node=3	Trust: 0.8
title:	Patch for NUUO CMS Code Execution Vulnerability (CNVD-2018-21167)	url:	https://www.cnvd.org.cn/patchInfo/show/142371	Trust: 0.6
title:	NUUO CMS Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85783	Trust: 0.6

sources: CNVD: CNVD-2018-21167 // JVNDB: JVNDB-2018-010888 // CNNVD: CNNVD-201810-665

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17890	Trust: 3.6
db:	ICS CERT	id:	ICSA-18-284-02	Trust: 3.3
db:	BID	id:	105717	Trust: 1.9
db:	CNVD	id:	CNVD-2018-21167	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-665	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-010888	Trust: 0.8
db:	IVD	id:	E2FE539F-39AB-11E9-B7E5-000C29342CB1	Trust: 0.2
db:	PACKETSTORM	id:	151260	Trust: 0.1

sources: IVD: e2fe539f-39ab-11e9-b7e5-000c29342cb1 // CNVD: CNVD-2018-21167 // BID: 105717 // JVNDB: JVNDB-2018-010888 // PACKETSTORM: 151260 // CNNVD: CNNVD-201810-665 // NVD: CVE-2018-17890

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-284-02	Trust: 3.3
url:	http://www.securityfocus.com/bid/105717	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17890	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17890	Trust: 0.8
url:	http://www.nuuo.com/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17888	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17892	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17936	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17934	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17894	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-18982	Trust: 0.1

sources: CNVD: CNVD-2018-21167 // BID: 105717 // JVNDB: JVNDB-2018-010888 // PACKETSTORM: 151260 // CNNVD: CNNVD-201810-665 // NVD: CVE-2018-17890

CREDITS

Pedro Ribeiro

Trust: 0.4

sources: BID: 105717 // PACKETSTORM: 151260

SOURCES

db:	IVD	id:	e2fe539f-39ab-11e9-b7e5-000c29342cb1
db:	CNVD	id:	CNVD-2018-21167
db:	BID	id:	105717
db:	JVNDB	id:	JVNDB-2018-010888
db:	PACKETSTORM	id:	151260
db:	CNNVD	id:	CNNVD-201810-665
db:	NVD	id:	CVE-2018-17890

LAST UPDATE DATE

2024-11-23T22:30:16.556000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-21167	date:	2018-10-18T00:00:00
db:	BID	id:	105717	date:	2018-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-010888	date:	2018-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201810-665	date:	2020-09-21T00:00:00
db:	NVD	id:	CVE-2018-17890	date:	2024-11-21T03:55:08.893

SOURCES RELEASE DATE

db:	IVD	id:	e2fe539f-39ab-11e9-b7e5-000c29342cb1	date:	2018-10-18T00:00:00
db:	CNVD	id:	CNVD-2018-21167	date:	2018-10-16T00:00:00
db:	BID	id:	105717	date:	2018-10-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-010888	date:	2018-12-27T00:00:00
db:	PACKETSTORM	id:	151260	date:	2019-01-21T23:02:22
db:	CNNVD	id:	CNNVD-201810-665	date:	2018-10-15T00:00:00
db:	NVD	id:	CVE-2018-17890	date:	2018-10-12T14:29:00.380