How severe is CVE-2017-8850?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2017-8850?

This is classified as CWE-319, which is a common weakness in software security.

CVE-2017-8850

MEDIUM Year: 2017

CVSS v3 Score

5.9

Medium

CVSS v2 Score

4.3

Medium

Weakness Type

CWE-319

View all →

Vulnerability Description

An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Due to a lenient updater-script in the OnePlus OTA images, and the fact that both ROMs use the same OTA verification keys, attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders, which allows for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, physical attackers can reboot the phone into recovery, and then use 'adb sideload' to push the OTA (on OnePlus 3/3T 'Secure Start-up' must be off).

CVE-2017-1232

MEDIUM

CVSS:5.9(Medium)

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. IBM X-Fo...

CWE-3192017

CVE-2017-15042

MEDIUM

CVSS:5.9(Medium)

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. Th...

CWE-3192017

CVE-2017-2412

MEDIUM

CVSS:5.9(Medium)

An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "iTunes Store" component. It allows man-in-the-middle attackers to modify the client-server data ...

CWE-3192017

CVE-2017-6341

MEDIUM

CVSS:5.9(Medium)

Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06-06, Camera Firmware 2.400.0000.28.R 2016-03-29, and SmartPSS Software 1.16.1 2017-01-19 send cleartext passwords in response to r...

CWE-3192017

CVE-2017-8444

MEDIUM

CVSS:5.9(Medium)

The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client...

CWE-3192017

CVE-2017-8851

MEDIUM

CVSS:5.9(Medium)

An issue was discovered on OnePlus One and X devices. Due to a lenient updater-script on the OnePlus One and X OTA images, the fact that both products use the same OTA verification keys, and the fact ...

CWE-3192017

CVE-2017-8850

Vulnerability Description

Related Vulnerabilities

CVE-2017-1232

CVE-2017-15042

CVE-2017-2412

CVE-2017-6341

CVE-2017-8444

CVE-2017-8851