CVE-2023-5499 (GCVE-0-2023-5499)
Vulnerability from cvelistv5 – Published: 2023-10-10 13:21 – Updated: 2024-08-02 07:59
VLAI?
Title
Shenzhen Reachfar v28 information exposure
Summary
Information exposure vulnerability in Shenzhen Reachfar v28, the exploitation of which could allow a remote attacker to retrieve all the week's logs stored in the 'log2' directory. An attacker could retrieve sensitive information such as remembered wifi networks, sent messages, SOS device locations and device configurations.
Severity ?
7.5 (High)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SHENZHEN REACHFAR TECHNOLOGY COMPANY LIMITED | Shenzhen Reachfar v28 |
Affected:
all versions
|
Date Public ?
2023-10-10 10:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.903Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/shenzhen-reachfar-v28-information-exposure"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shenzhen Reachfar v28",
"vendor": "SHENZHEN REACHFAR TECHNOLOGY COMPANY LIMITED",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Joel Serna Moreno"
}
],
"datePublic": "2023-10-10T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information exposure vulnerability in Shenzhen Reachfar v28, the exploitation of which could allow a remote attacker to retrieve all the week\u0027s logs stored in the \u0027log2\u0027 directory. An attacker could retrieve sensitive information such as remembered wifi networks, sent messages, SOS device locations and device configurations."
}
],
"value": "Information exposure vulnerability in Shenzhen Reachfar v28, the exploitation of which could allow a remote attacker to retrieve all the week\u0027s logs stored in the \u0027log2\u0027 directory. An attacker could retrieve sensitive information such as remembered wifi networks, sent messages, SOS device locations and device configurations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-19T14:38:41.121Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/shenzhen-reachfar-v28-information-exposure"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The reported vulnerability has been solved in the latest version of the affected product."
}
],
"value": "The reported vulnerability has been solved in the latest version of the affected product."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Shenzhen Reachfar v28 information exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2023-5499",
"datePublished": "2023-10-10T13:21:59.698Z",
"dateReserved": "2023-10-10T09:26:26.184Z",
"dateUpdated": "2024-08-02T07:59:44.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-5499",
"date": "2026-04-25",
"epss": "0.00264",
"percentile": "0.49878"
},
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:reachfargps:reachfar_gps_firmware:28:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5A968B88-4FD1-48E6-9C2D-F1D8DC867511\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:reachfargps:reachfar_gps:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2791B085-7B96-40BD-B133-0175B19809AC\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Information exposure vulnerability in Shenzhen Reachfar v28, the exploitation of which could allow a remote attacker to retrieve all the week\u0027s logs stored in the \u0027log2\u0027 directory. An attacker could retrieve sensitive information such as remembered wifi networks, sent messages, SOS device locations and device configurations.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de exposici\\u00f3n de informaci\\u00f3n en Shenzhen Reachfar v28, cuya explotaci\\u00f3n podr\\u00eda permitir a un atacante remoto recuperar todos los registros de la semana almacenados en el directorio \u0027log2\u0027. Un atacante podr\\u00eda recuperar informaci\\u00f3n confidencial, como redes wifi recordadas, mensajes enviados, ubicaciones de dispositivos SOS y configuraciones de dispositivos.\"}]",
"id": "CVE-2023-5499",
"lastModified": "2024-11-21T08:41:54.103",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cve-coordination@incibe.es\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2023-10-10T14:15:11.213",
"references": "[{\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso/shenzhen-reachfar-v28-information-exposure\", \"source\": \"cve-coordination@incibe.es\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso/shenzhen-reachfar-v28-information-exposure\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"cve-coordination@incibe.es\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-532\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-532\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-5499\",\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"published\":\"2023-10-10T14:15:11.213\",\"lastModified\":\"2024-11-21T08:41:54.103\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Information exposure vulnerability in Shenzhen Reachfar v28, the exploitation of which could allow a remote attacker to retrieve all the week\u0027s logs stored in the \u0027log2\u0027 directory. An attacker could retrieve sensitive information such as remembered wifi networks, sent messages, SOS device locations and device configurations.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de exposici\u00f3n de informaci\u00f3n en Shenzhen Reachfar v28, cuya explotaci\u00f3n podr\u00eda permitir a un atacante remoto recuperar todos los registros de la semana almacenados en el directorio \u0027log2\u0027. Un atacante podr\u00eda recuperar informaci\u00f3n confidencial, como redes wifi recordadas, mensajes enviados, ubicaciones de dispositivos SOS y configuraciones de dispositivos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:reachfargps:reachfar_gps_firmware:28:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A968B88-4FD1-48E6-9C2D-F1D8DC867511\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:reachfargps:reachfar_gps:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2791B085-7B96-40BD-B133-0175B19809AC\"}]}]}],\"references\":[{\"url\":\"https://www.incibe.es/en/incibe-cert/notices/aviso/shenzhen-reachfar-v28-information-exposure\",\"source\":\"cve-coordination@incibe.es\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.incibe.es/en/incibe-cert/notices/aviso/shenzhen-reachfar-v28-information-exposure\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…