A vulnerability classified as critical has been found in Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera up to 3.x. This affects some unknown functionality of the file /etc/shadow of the component Web Interface. The manipulation with an unknown input leads to a path traversal vulnerability. CWE is classifying the issue as CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. This is going to have an impact on confidentiality. The summary by CVE is:

Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.x are vulnerable to directory traversal via the web interface, as demonstrated by reading /etc/shadow. NOTE: this product is discontinued, and its final firmware version has this vulnerability (4.x versions exist only for other Genie Access products).

The weakness was presented 06/17/2019. This vulnerability is uniquely identified as CVE-2019-7315 since 02/03/2019. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known. MITRE ATT&CK project uses the attack technique T1006 for this issue.

It is declared as proof-of-concept.

The problem might be mitigated by replacing the product with as an alternative.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Genie Access

Name

• WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera

Version

• 3.x

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion