PT-2018-16250 · Samsung · Samsung Smartthings Hub
Published
2018-08-23
·
Updated
2022-12-03
·
CVE-2018-3856
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Samsung SmartThings Hub STH-ETH-250 version 0.20.17
Description
The issue arises from the device's incorrect handling of spaces in the URL field of the smart cameras RTSP configuration, leading to an arbitrary operating system command injection. An attacker can exploit this by sending a series of HTTP requests.
Recommendations
For Samsung SmartThings Hub STH-ETH-250 version 0.20.17, consider restricting access to the RTSP configuration to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using spaces in the URL field. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Argument Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Samsung Smartthings Hub