CVE-2018-3909

HIGH

Samsung Sth-eth-250 Firmware - HTTP Request Smuggling

Title source: rule

Description

An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, 'onmessagecomplete' callback. An attacker can send an HTTP request to trigger this vulnerability.

References (1)

[Exploit, Third Party Advisory] https://talosintelligence.com/vulnerability_reports/TALOS-2018-0577

Scores

CVSS v3 8.6

EPSS 0.0042

EPSS Percentile 62.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Details

CWE

CWE-444

Status published

Products (1)

samsung/sth-eth-250_firmware 0.20.17

Published Aug 24, 2018

Tracked Since Feb 18, 2026