Lucene search

ZephyrCVELIST:CVE-2023-4258

HistorySep 25, 2023 - 9:46 p.m.

CVE-2023-4258 bt: mesh: vulnerability in provisioning protocol implementation on provisionee side

2023-09-2521:46:37

CWE-684

zephyr

www.cve.org

bluetooth

mesh

provisioning

vulnerability

public key

oob

cve-2023-4258

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

20.7%

JSON

In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and will be accepted by provisionee.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "Zephyr",
    "product": "Zephyr",
    "repo": "https://github.com/zephyrproject-rtos/zephyr",
    "vendor": "zephyrproject-rtos",
    "versions": [
      {
        "lessThanOrEqual": "3.4",
        "status": "affected",
        "version": "1.14",
        "versionType": "git"
      }
    ]
  }
]

References

github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-m34c-cp63-rwh7

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

20.7%

JSON

Related for CVELIST:CVE-2023-4258