CVE-2017-2149
Summary
| CVE | CVE-2017-2149 |
|---|---|
| State | PUBLISHED |
| Assigner | jpcert |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-04-28 16:59:01 UTC |
| Updated | 2025-04-20 01:37:25 UTC |
| Description | Untrusted search path vulnerability in installers of the software for SDHC/SDXC Memory Card with embedded NFC functionality Software Update Tool V1.00.03 and earlier, SDHC Memory Card with embedded wireless LAN functionality FlashAir Configuration Software V3.0.2 and earlier, SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool (SD-WE series<W-03>) V3.00.01, SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool (SD-WD/WC series<W-02>) V2.00.03 and earlier, SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool (SD-WB/WL series) V1.00.04 and earlier, SDHC Memory Card with embedded TransferJet functionality Configuration Software V1.02 and earlier, SDHC Memory Card with embedded TransferJet functionality Software Update tool V1.00.06 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory. |
Risk And Classification
Primary CVSS: v3.0 8.8 HIGH from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Problem Types: CWE-426 | Untrusted search path vulnerability
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 8.8 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
CompleteIntegrity
CompleteAvailability
CompleteAV:N/AC:M/Au:N/C:C/I:C/A:C
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Toshiba | Flashair | All | All | All | All |
| Application | Toshiba | Flashair | All | All | All | All |
| Application | Toshiba | Flashair | All | All | All | All |
| Application | Toshiba | Flashair | All | All | All | All |
| Application | Toshiba | Flashair | All | All | All | All |
| Application | Toshiba | Flashair | All | All | All | All |
| Application | Toshiba | Flashair | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Multiple Toshiba memory card installers DLL Loading Remote Code Execution Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| JVN#05340816: Multiple installers of Toshiba memory card related software may insecurely load Dynamic Link Libraries | af854a3a-2127-422b-91ae-364da2661108 | jvn.jp | Third Party Advisory, VDB Entry |
| (続報)NFC搭載SDメモリカード、FlashAir™、TransferJet™搭載SDメモリカードのWindows® 用ソフトウェアのインストーラにおけるDLL 読み込みに関する脆弱性について|東芝:パーソナルストレージ | af854a3a-2127-422b-91ae-364da2661108 | www.toshiba-personalstorage.net | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.