JVNVU#93932313
SEEnergy SVR-116 vulnerable to OS command injection
Overview
Network video recorder SVR-116 provided by SEEnergy Corp. contains an OS command injection vulnerability.
Products Affected
The product name and version reported to be vulnerable are as follows:
- SVR-116 firmware version 1.6.0.30028871
Description
Network video recorder SVR-116 provided by SEEnergy Corp. contains an OS command injection vulnerability (CWE-78).
Impact
If a logged-in user with an administrative privilege sends a specially crafted request to the affected product, an arbitrary OS command may be executed.
Solution
Stop using the product and/or consider using it under the secure environment
Since SEEnergy Corp. is unreachable due to its dissolusion in 2016, the existence of any mitigations for this vulnerability is unknown.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC to notify users its existence and the solutions through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-29167 |
| JVN iPedia |
|