Lucene search

Rapid7CVELIST:CVE-2019-5625

HistoryMay 22, 2019 - 6:11 p.m.

CVE-2019-5625 Eaton Halo Home Android App Insecure Storage

2019-05-2218:11:12

CWE-922

rapid7

www.cve.org

2.8 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.0%

JSON

The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user’s personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.

CNA Affected

[
  {
    "product": "HALO Home",
    "vendor": "Eaton",
    "versions": [
      {
        "status": "affected",
        "version": "before 1.11.0"
      }
    ]
  }
]

References

blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/

www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/CVE-2019-5625-Halo-home-smart-lighting-vulnerability-advisory.pdf

2.8 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.0%

JSON

Related for CVELIST:CVE-2019-5625