Directory Traversal Vulnerability in ZTE ZXDT22 SF01 Product

Original release date:  9 October 2017

Update date:  20 October 2017

 

CVE ID

CVE-2017-10933

 

CVSS 3.0 Base Score

8.6 HIGH (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

 

Affected Product

ZXDT22 SF01

 

Affected Versions

All versions prior to V2.06.00.00

 

Description

All versions prior to V2.06.00.00 of ZTE ZXDT22 SF01, an monitoring system of ZTE energy product, are impacted by directory traversal vulnerability that allows remote attackers to read arbitrary files on the system via a full path name after host address.

 

Resolution

Users are recommended to upgrade or change to newer versions after V2.06.00.00.

 

Credit

Thanks to Zhang Jinxin for reporting the security issue to ZTE PSIRT.

 

References

CVE-2017-10933 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10933)

CVE-2017-10931 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10931)

CVE-2015-7250 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7250)

CVE-2015-7254 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7254)

 

Update Records

9 October 2017, initial.

20 October 2017, CVE ID assigned.

 

ZTE PSIRT

If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]