CVE-2023-52954
Published: 08 January 2025
Summary
CVE-2023-52954 is a medium-severity Incorrect Default Permissions (CWE-276) vulnerability in Huawei Harmonyos. Its CVSS base score is 4.4 (Medium).
Operationally, ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to Gallery module resources, directly mitigating improper permission controls and preventing local exploitation.
Applies least privilege to restrict access in the Gallery module, countering CWE-276 incorrect default permissions exploited by local attackers.
Enables timely identification, reporting, and correction of the specific Gallery module flaw (CVE-2023-52954), preventing exploitation as recommended in Huawei's security bulletin.
NVD Description
Vulnerability of improper permission control in the Gallery module Impact: Successful exploitation of this vulnerability may affect availability.
Deeper analysisAI
CVE-2023-52954 is a vulnerability involving improper permission control in the Gallery module. It affects Huawei consumer products and was published on 2025-01-08 with a CVSS v3.1 base score of 4.4 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L). The issue is linked to CWEs-701 (Incorrect Control Flow Scoping) and CWE-276 (Incorrect Default Permissions).
A local attacker can exploit this vulnerability with low attack complexity, requiring user interaction but no special privileges. Successful exploitation may result in low-impact effects on confidentiality and availability, with no impact on integrity.
Huawei's security bulletin at https://consumer.huawei.com/en/support/bulletin/2025/1/ provides details on the vulnerability, including mitigation recommendations for affected devices.
Details
- CWE(s)