CVE Vulnerabilities


Improper Neutralization of Special Elements used in a Command ('Command Injection')

Published: Oct 03, 2017 | Modified: Oct 23, 2017
CVSS 3.x
CVSS 2.x

The login page of the server on Huawei FusionServer rack servers RH2288 V3 with software before V100R003C00SPC603, RH2288H V3 with software before V100R003C00SPC503, XH628 V3 with software before V100R003C00SPC602, RH1288 V3 with software before V100R003C00SPC602, RH2288A V2 with software before V100R002C00SPC701, RH1288A V2 with software before V100R002C00SPC502, RH8100 V3 with software before V100R003C00SPC110, CH222 V3 with software before V100R001C00SPC161, CH220 V3 with software before V100R001C00SPC161, and CH121 V3 with software before V100R001C00SPC161 allows remote attackers to bypass access restrictions and enter commands via unspecified parameters, as demonstrated by a user creation command.


The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Fusionserver_ch121_v3 Huawei v100r001c00 (including) v100r001c00 (including)
Fusionserver_ch220_v3 Huawei v100r001c00 (including) v100r001c00 (including)
Fusionserver_ch222_v3 Huawei v100r001c00 (including) v100r001c00 (including)
Fusionserver_rh1288_v3 Huawei v100r003c00spc100 (including) v100r003c00spc100 (including)
Fusionserver_rh1288a_v2 Huawei v100r002c00 (including) v100r002c00 (including)
Fusionserver_rh2288_v3 Huawei v100r003c00 (including) v100r003c00 (including)
Fusionserver_rh2288a_v2 Huawei v100r002c00 (including) v100r002c00 (including)
Fusionserver_rh2288h_v3 Huawei v100r003c00 (including) v100r003c00 (including)
Fusionserver_rh8100_v3 Huawei v100r003c00 (including) v100r003c00 (including)
Fusionserver_xh628_v3 Huawei v100r003c00 (including) v100r003c00 (including)

Extended Description

Command injection vulnerabilities typically occur when:

Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks. Command injection is a common problem with wrapper programs.

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.