CVE-2018-3879 — SQL Injection in Samsung Smartthings HUB Sth-eth-250

CWE-89 — SQL Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 62.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samsung Smartthings HUB Sth-eth-250 Samsung Sth-eth-250 Firmware

Timeline

PublishedAug 23

Latest updateMay 13

Description

An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly parses the user-controlled JSON payload, leading to a JSON injection which in turn leads to a SQL injection in the video-core database. An attacker can send a series of HTTP requests to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDsamsung/sth-eth-250_firmware0.20.17

▶CVEListV5samsung/smartthings_hub_sth-eth-250Firmware version 0.20.17

🔴Vulnerability Details

GHSA

GHSA-wrgr-53r5-77j3: An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devic↗2022-05-13

▶

OSV

linux-lts-xenial, linux-aws vulnerabilities↗2019-02-04

▶

CVEList

CVE-2018-3879: An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devic↗2018-08-23

▶