Search criteria
2 vulnerabilities by govee
CVE-2023-4617 (GCVE-0-2023-4617)
Vulnerability from cvelistv5 – Published: 2024-12-19 09:39 – Updated: 2024-12-20 17:56
VLAI?
Summary
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values.
This issue affects Govee Home applications on Android and iOS in versions before 5.9.
Severity ?
10 (Critical)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Govee | Govee Home |
Affected:
0 , < 5.9
(custom)
|
|||||||
|
|||||||||
Credits
Jan Adamski (NASK-PIB)
Marek Janiszewski (NASK-PIB)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T17:56:30.387331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T17:56:46.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Govee Home",
"vendor": "Govee",
"versions": [
{
"lessThan": "5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "Govee Home",
"vendor": "Govee",
"versions": [
{
"lessThan": "5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jan Adamski (NASK-PIB)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Marek Janiszewski (NASK-PIB)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIncorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing \"device\", \"sku\" and \"type\" fields\u0027 values.\u0026nbsp;\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Govee Home applications on Android and iOS in versions\u0026nbsp;before 5.9.\u003c/p\u003e"
}
],
"value": "Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing \"device\", \"sku\" and \"type\" fields\u0027 values.\u00a0\nThis issue affects Govee Home applications on Android and iOS in versions\u00a0before 5.9."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T09:39:31.393Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/12/CVE-2023-4617/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/12/CVE-2023-4617/"
},
{
"tags": [
"product"
],
"url": "https://play.google.com/store/apps/details?id=com.govee.home"
},
{
"tags": [
"product"
],
"url": "https://apps.apple.com/us/app/govee-home/id1395696823"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Gaining remote control over Govee devices",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-4617",
"datePublished": "2024-12-19T09:39:31.393Z",
"dateReserved": "2023-08-30T08:30:57.983Z",
"dateUpdated": "2024-12-20T17:56:46.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3612 (GCVE-0-2023-3612)
Vulnerability from cvelistv5 – Published: 2023-09-11 09:04 – Updated: 2024-09-26 14:32
VLAI?
Summary
Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content.
Severity ?
8.2 (High)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Govee | Govee Home |
Affected:
5.7.03 , < 5.8.01
(custom)
|
Credits
Jan Adamski (johnny1337.pl; jan.adamski@nask.pl)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:32:16.829725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:32:25.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android",
"iOS"
],
"product": "Govee Home",
"vendor": "Govee",
"versions": [
{
"lessThan": "5.8.01",
"status": "affected",
"version": "5.7.03",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jan Adamski (johnny1337.pl; jan.adamski@nask.pl)"
}
],
"datePublic": "2023-09-11T10:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Govee Home app has unprotected access to WebView component which can be opened by any app on\u0026nbsp;the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or\u0026nbsp;steal sensitive user data by displaying phishing content. "
}
],
"value": "Govee Home app has unprotected access to WebView component which can be opened by any app on\u00a0the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or\u00a0steal sensitive user data by displaying phishing content. "
}
],
"impacts": [
{
"capecId": "CAPEC-98",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-98 Phishing"
}
]
},
{
"capecId": "CAPEC-19",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-19 Embedding Scripts within Scripts"
}
]
},
{
"capecId": "CAPEC-22",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-22 Exploiting Trust in Client"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749 Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-13T06:17:09.814Z",
"orgId": "bc375322-d3d7-4481-b261-e29662236cfd",
"shortName": "SK-CERT"
},
"references": [
{
"url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to version 5.8.01 (released on 17.08.2023) or latest"
}
],
"value": "Update to version 5.8.01 (released on 17.08.2023) or latest"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2023-07-10T11:00:00.000Z",
"value": "Received information about vulnerability from a security researcher - Jan Adamski (johnny1337.pl; jan.adamski@nask.pl)"
},
{
"lang": "en",
"time": "2023-07-11T11:39:00.000Z",
"value": "Initial notification of the vendor"
},
{
"lang": "en",
"time": "2023-08-03T13:25:00.000Z",
"value": "Vendor confirmed the receipt of vulnerability report"
},
{
"lang": "en",
"time": "2023-08-10T13:25:00.000Z",
"value": "Vendor informed about security update being released on 17.08.2023"
},
{
"lang": "en",
"time": "2023-08-17T00:00:00.000Z",
"value": "Updated version of the application released"
}
],
"title": "Unprotected WebView access in Govee Home App",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bc375322-d3d7-4481-b261-e29662236cfd",
"assignerShortName": "SK-CERT",
"cveId": "CVE-2023-3612",
"datePublished": "2023-09-11T09:04:09.924Z",
"dateReserved": "2023-07-11T06:15:11.185Z",
"dateUpdated": "2024-09-26T14:32:25.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}