[Japanese]

JVNDB-2024-003047

SEEnergy SVR-116 vulnerable to OS command injection

Overview

Network video recorder SVR-116 provided by SEEnergy Corp. contains an OS command injection vulnerability (CWE-78).

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC to notify users its existence and the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.2 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.5 (Medium) [Other]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

The product name and version reported to be vulnerable are as follows:

SEEnergy
  • SVR-116 firmware version 1.6.0.30028871

Impact

If a logged-in user with an administrative privilege sends a specially crafted request to the affected product, an arbitrary OS command may be executed.
Solution

[Stop using the product and/or consider using it under the secure environment]
Since SEEnergy Corp. is unreachable due to its dissolusion in 2016, the existence of any mitigations for this vulnerability is unknown.
Vendor Information

CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2024-29167
References

  1. JVN : JVNVU#93932313
Revision History

  • [2024/03/28]
      Web page was published

Date Public2024/03/27
Date First Published2024/03/28
Date Last Updated2024/03/28