Huawei FusionAccess V100R005C10/V100R005C20 LDAP ldap injection

A vulnerability was found in Huawei FusionAccess V100R005C10/V100R005C20 and classified as problematic. Affected by this issue is some unknown functionality of the component LDAP Handler. The manipulation leads to ldap injection. Using CWE to declare the problem leads to CWE-90. The bug was discovered 11/30/2016. The weakness was disclosed 04/02/2017 as sa-20161130-01 (Website). The advisory is shared for download at huawei.com. This vulnerability is handled as CVE-2016-8779. The attack may be launched remotely. There are no technical details available. There is no exploit available. The current price for an exploit might be approx. USD $5k-$25k at the moment. The MITRE ATT&CK project declares the attack technique as T1505. It is declared as not defined. The vulnerability was handled as a non-public zero-day exploit for at least 123 days. As 0-day the estimated underground price was around $5k-$25k. A possible mitigation has been published even before and not after the disclosure of the vulnerability. The vulnerability is also documented other vulnerability databases: SecurityFocus (BID 94620).

Field04/03/2017 09:05 AM11/24/2022 02:45 PM
vendorHuaweiHuawei
nameFusionAccessFusionAccess
versionV100R005C10/V100R005C20V100R005C10/V100R005C20
componentLDAP HandlerLDAP Handler
discoverydate14804640001480464000
cwe90 (ldap injection)90 (ldap injection)
risk11
cvss2_vuldb_basescore4.04.0
cvss2_vuldb_tempscore4.04.0
cvss2_vuldb_avNN
cvss2_vuldb_acLL
cvss2_vuldb_auSS
cvss2_vuldb_ciPP
cvss2_vuldb_iiNN
cvss2_vuldb_aiNN
cvss2_nvd_avNN
cvss2_nvd_acLL
cvss2_nvd_auSS
cvss2_nvd_ciPP
cvss2_nvd_iiNN
cvss2_nvd_aiNN
cvss3_meta_basescore5.45.4
cvss3_meta_tempscore5.45.4
cvss3_vuldb_basescore4.34.3
cvss3_vuldb_tempscore4.34.3
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prLL
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iNN
cvss3_vuldb_aNN
cvss3_nvd_avNN
cvss3_nvd_acLL
cvss3_nvd_prLL
cvss3_nvd_uiNN
cvss3_nvd_sUU
cvss3_nvd_cHH
cvss3_nvd_iNN
cvss3_nvd_aNN
date1491091200 (04/02/2017)1491091200 (04/02/2017)
urlhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161130-01-ldap-enhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161130-01-ldap-en
confirm_urlhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161130-01-ldap-enhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161130-01-ldap-en
price_0day$5k-$25k$5k-$25k
cveCVE-2016-8779CVE-2016-8779
cve_assigned1476748800 (10/18/2016)1476748800 (10/18/2016)
cve_nvd_published14910912001491091200
cve_nvd_summaryHuawei FusionAccess with software V100R005C10 and V100R005C20 could allow remote attackers with specific permission to inject a Lightweight Directory Access Protocol (LDAP) operation command into a specific input variable to obtain sensitive information from the database.Huawei FusionAccess with software V100R005C10 and V100R005C20 could allow remote attackers with specific permission to inject a Lightweight Directory Access Protocol (LDAP) operation command into a specific input variable to obtain sensitive information from the database.
osvdb_titleCVE-2016-8779 - Huawei - FusionAccess - Information Disclosure IssueCVE-2016-8779 - Huawei - FusionAccess - Information Disclosure Issue
securityfocus9462094620
securityfocus_date1480550400 (12/01/2016)1480550400 (12/01/2016)
securityfocus_classInput Validation ErrorInput Validation Error
securityfocus_titleHuawei FusionAccess CVE-2016-8779 Command Injection VulnerabilityHuawei FusionAccess CVE-2016-8779 Command Injection Vulnerability
locationWebsiteWebsite
cvss2_vuldb_eNDND
cvss2_vuldb_rlNDND
cvss2_vuldb_rcNDND
cvss3_vuldb_eXX
cvss3_vuldb_rlXX
cvss3_vuldb_rcXX
0day_days123123
cvss3_nvd_basescore6.56.5
identifiersa-20161130-01
cvss2_nvd_basescore4.0

Do you need the next level of professionalism?

Upgrade your account now!