CVE-2020-9127 : Some Huawei products have a command injection vulnerability. Due to insufficient

Some Huawei products have a command injection vulnerability. Due to insufficient input validation, an attacker with high privilege may inject some malicious codes in some files of the affected products. Successful exploit may cause command injection.Affected product versions include:NIP6300 versions V500R001C30,V500R001C60;NIP6600 versions V500R001C30,V500R001C60;Secospace USG6300 versions V500R001C30,V500R001C60;Secospace USG6500 versions V500R001C30,V500R001C60;Secospace USG6600 versions V500R001C30,V500R001C60;USG9500 versions V500R001C30,V500R001C60.

Published 2020-11-13 15:15:13

Updated 2021-07-21 11:39:24

Source Huawei Technologies

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2020-9127

Huawei » Nip6300 Firmware » Version: V500r001c30
cpe:2.3:o:huawei:nip6300_firmware:v500r001c30:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Nip6300 » Version: N/A
Huawei » Nip6300 Firmware » Version: V500r001c60
cpe:2.3:o:huawei:nip6300_firmware:v500r001c60:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Nip6300 » Version: N/A
Huawei » Secospace Usg6500 Firmware » Version: V500r001c30
cpe:2.3:o:huawei:secospace_usg6500_firmware:v500r001c30:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Secospace Usg6500 » Version: N/A
Huawei » Secospace Usg6500 Firmware » Version: V500r001c60
cpe:2.3:o:huawei:secospace_usg6500_firmware:v500r001c60:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Secospace Usg6500 » Version: N/A
Huawei » Usg9500 Firmware » Version: V500r001c30
cpe:2.3:o:huawei:usg9500_firmware:v500r001c30:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Usg9500 » Version: N/A
Huawei » Usg9500 Firmware » Version: V500r001c60
cpe:2.3:o:huawei:usg9500_firmware:v500r001c60:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Usg9500 » Version: N/A
Huawei » Secospace Usg6300 Firmware » Version: V500r001c30
cpe:2.3:o:huawei:secospace_usg6300_firmware:v500r001c30:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Secospace Usg6300 » Version: N/A
Huawei » Secospace Usg6300 Firmware » Version: V500r001c60
cpe:2.3:o:huawei:secospace_usg6300_firmware:v500r001c60:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Secospace Usg6300 » Version: N/A
Huawei » Secospace Usg6600 Firmware » Version: V500r001c30
cpe:2.3:o:huawei:secospace_usg6600_firmware:v500r001c30:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Secospace Usg6600 » Version: N/A
Huawei » Secospace Usg6600 Firmware » Version: V500r001c60
cpe:2.3:o:huawei:secospace_usg6600_firmware:v500r001c60:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Secospace Usg6600 » Version: N/A
Huawei » Nip6600 Firmware » Version: V500r001c30
cpe:2.3:o:huawei:nip6600_firmware:v500r001c30:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Nip6600 » Version: N/A
Huawei » Nip6600 Firmware » Version: V500r001c60
cpe:2.3:o:huawei:nip6600_firmware:v500r001c60:*:*:*:*:*:*:*
Matching versions
When used together with: Huawei » Nip6600 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-9127

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-9127

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-9127

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-9127

https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201111-02-injection-en

Security Advisory - Command Injection Vulnerability in Some Huawei Products
Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-9127

Products affected by CVE-2020-9127

Exploit prediction scoring system (EPSS) score for CVE-2020-9127

CVSS scores for CVE-2020-9127

CWE ids for CVE-2020-9127

References for CVE-2020-9127