Multiple vulnerabilities in OpenHarmony
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-0036 CVE-2023-0035 |
| CWE-ID | CWE-294 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
OpenHarmony Web applications / Modules and components for CMS |
| Vendor | OpenHarmony |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Authentication Bypass by Capture-replay
EUVDB-ID: #VU71469
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-0036
CWE-ID:
CWE-294 - Authentication Bypass by Capture-replay
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests in the platform_callback_stub function in the misc subsystem. A local user can bypass authentication process and obtain sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOpenHarmony: 3.0.5
CPE2.3- cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*
- cpe:2.3:a:openharmony:openharmony:3.0.5:*:*:*:*:*:*:*
http://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-01.md
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Authentication Bypass by Capture-replay
EUVDB-ID: #VU71471
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-0035
CWE-ID:
CWE-294 - Authentication Bypass by Capture-replay
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests in the softbus_client_stub function in the communication subsystem. A local user can bypass authentication process and obtain sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOpenHarmony: 3.0.5
CPE2.3- cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*
- cpe:2.3:a:openharmony:openharmony:3.0.5:*:*:*:*:*:*:*
http://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-01.md
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
