CVE-2024-41883 - Vulnerability Details - OpenCVE

Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the NVR . An attacker enters a special value for a specific URL parameter, resulting in a NULL pointer reference and a reboot of the NVR. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://www.hanwhavision.com/wp-content/uploads/2024/12/NVR-Vulnerability-Report-CVE-2024-4188241887.pdf

History

Tue, 24 Dec 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Dec 2024 05:45:00 +0000

Type	Values Removed	Values Added
Description		Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the NVR . An attacker enters a special value for a specific URL parameter, resulting in a NULL pointer reference and a reboot of the NVR. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
Title		Null Pointer Dereference
Weaknesses		CWE-476
References		https://www.hanwhavision.com/wp-content/uploads/2024/12/NVR-Vulnerability-Report-CVE-2024-4188241887.pdf
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Hanwha_Vision

Published: 2024-12-24T05:32:41.711Z

Updated: 2024-12-24T15:23:56.758Z

Reserved: 2024-07-23T00:24:03.861Z

Link: CVE-2024-41883

Vulnrichment

Updated: 2024-12-24T15:23:53.063Z

NVD

Status : Received

Published: 2024-12-24T06:15:33.943

Modified: 2024-12-24T06:15:33.943

Link: CVE-2024-41883

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41883", "assignerOrgId": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "state": "PUBLISHED", "assignerShortName": "Hanwha_Vision", "dateReserved": "2024-07-23T00:24:03.861Z", "datePublished": "2024-12-24T05:32:41.711Z", "dateUpdated": "2024-12-24T15:23:56.758Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "XRN-420S", "vendor": "Hanwha Vision Co., Ltd.", "versions": [{"status": "affected", "version": "5.01.62 and prior versions"}]}], "datePublic": "2024-12-24T05:29:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div>Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the \n\nNVR\n\n.<span style=\"background-color: var(--wht);\"> An attacker enters a special value for a specific URL parameter, resulting in a NULL pointer reference and a reboot of the NVR. </span><span style=\"background-color: var(--wht);\">The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.</span></div></div>"}], "value": "Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the \n\nNVR\n\n.\u00a0An attacker enters a special value for a specific URL parameter, resulting in a NULL pointer reference and a reboot of the NVR.\u00a0The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "shortName": "Hanwha_Vision", "dateUpdated": "2024-12-24T05:32:41.711Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.hanwhavision.com/wp-content/uploads/2024/12/NVR-Vulnerability-Report-CVE-2024-4188241887.pdf"}], "source": {"discovery": "UNKNOWN"}, "title": "Null Pointer Dereference", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-24T15:23:44.295358Z", "id": "CVE-2024-41883", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-24T15:23:56.758Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41883", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-24T15:23:44.295358Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-24T15:23:53.063Z"}}], "cna": {"title": "Null Pointer Dereference", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hanwha Vision Co., Ltd.", "product": "XRN-420S", "versions": [{"status": "affected", "version": "5.01.62 and prior versions"}], "defaultStatus": "unaffected"}], "datePublic": "2024-12-24T05:29:00.000Z", "references": [{"url": "https://www.hanwhavision.com/wp-content/uploads/2024/12/NVR-Vulnerability-Report-CVE-2024-4188241887.pdf", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the \n\nNVR\n\n.\u00a0An attacker enters a special value for a specific URL parameter, resulting in a NULL pointer reference and a reboot of the NVR.\u00a0The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.", "supportingMedia": [{"type": "text/html", "value": "<div><div>Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the \n\nNVR\n\n.<span style=\"background-color: var(--wht);\"> An attacker enters a special value for a specific URL parameter, resulting in a NULL pointer reference and a reboot of the NVR. </span><span style=\"background-color: var(--wht);\">The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.</span></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "shortName": "Hanwha_Vision", "dateUpdated": "2024-12-24T05:32:41.711Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41883", "state": "PUBLISHED", "dateUpdated": "2024-12-24T15:23:56.758Z", "dateReserved": "2024-07-23T00:24:03.861Z", "assignerOrgId": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "datePublished": "2024-12-24T05:32:41.711Z", "assignerShortName": "Hanwha_Vision"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the \n\nNVR\n\n.\u00a0An attacker enters a special value for a specific URL parameter, resulting in a NULL pointer reference and a reboot of the NVR.\u00a0The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds."}], "id": "CVE-2024-41883", "lastModified": "2024-12-24T06:15:33.943", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "type": "Secondary"}]}, "published": "2024-12-24T06:15:33.943", "references": [{"source": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "url": "https://www.hanwhavision.com/wp-content/uploads/2024/12/NVR-Vulnerability-Report-CVE-2024-4188241887.pdf"}], "sourceIdentifier": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "type": "Secondary"}]}