CVE-2023-40040 (GCVE-0-2023-40040)

Vulnerability from cvelistv5 – Published: 2023-09-11 00:00 – Updated: 2024-09-26 15:53
VLAI?
Summary
An issue was discovered in the MyCrops HiGrade "THC Testing & Cannabi" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivity component in some situations. NOTE: this is only exploitable on Android versions that lack runtime permission checks, and of those only Android SDK 5.1.1 API 22 is consistent with the manifest. Thus, this applies only to Android Lollipop, affecting less than five percent of Android devices as of 2023.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:24:54.649Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/actuator/cve/blob/main/CVE-2023-40040"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:android:mycrops_higrade:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mycrops_higrade",
            "vendor": "android",
            "versions": [
              {
                "status": "affected",
                "version": "1.0.337"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-40040",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T15:49:42.437265Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T15:53:44.779Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the MyCrops HiGrade \"THC Testing \u0026 Cannabi\" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivity component in some situations. NOTE: this is only exploitable on Android versions that lack runtime permission checks, and of those only Android SDK 5.1.1 API 22 is consistent with the manifest. Thus, this applies only to Android Lollipop, affecting less than five percent of Android devices as of 2023."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-11T05:59:07.526Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/actuator/cve/blob/main/CVE-2023-40040"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-40040",
    "datePublished": "2023-09-11T00:00:00.000Z",
    "dateReserved": "2023-08-08T00:00:00.000Z",
    "dateUpdated": "2024-09-26T15:53:44.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-40040",
      "date": "2026-04-25",
      "epss": "0.00098",
      "percentile": "0.26775"
    },
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mycrops:higrade:1.0.337:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80F3D3AB-302E-468B-A629-7D1FEC180109\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:google:android:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0\", \"versionEndIncluding\": \"5.1.1\", \"matchCriteriaId\": \"FC72A6B1-2BD5-4548-B495-3890C6197500\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An issue was discovered in the MyCrops HiGrade \\\"THC Testing \u0026 Cannabi\\\" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivity component in some situations. NOTE: this is only exploitable on Android versions that lack runtime permission checks, and of those only Android SDK 5.1.1 API 22 is consistent with the manifest. Thus, this applies only to Android Lollipop, affecting less than five percent of Android devices as of 2023.\"}, {\"lang\": \"es\", \"value\": \"Se descubri\\u00f3 un problema en la aplicaci\\u00f3n MyCrops HiGrade \\\"THC Testing \u0026amp; Cannabi\\\" 1.0.337 para Android. Un atacante remoto puede iniciar la transmisi\\u00f3n de la c\\u00e1mara a trav\\u00e9s del componente com.cordovaplugincamerapreview.CameraActivity en algunas situaciones. NOTA: esto solo se puede explotar en versiones de Android que carecen de comprobaciones de permisos de tiempo de ejecuci\\u00f3n y, de ellas, solo Android SDK 5.1.1 API 22 es coherente con el manifiesto. Por lo tanto, esto se aplica s\\u00f3lo a Android Lollipop, y afectar\\u00e1 a menos del cinco por ciento de los dispositivos Android a partir de 2023.\"}]",
      "id": "CVE-2023-40040",
      "lastModified": "2024-11-21T08:18:34.767",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
      "published": "2023-09-11T06:15:43.830",
      "references": "[{\"url\": \"https://github.com/actuator/cve/blob/main/CVE-2023-40040\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/actuator/cve/blob/main/CVE-2023-40040\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-40040\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-09-11T06:15:43.830\",\"lastModified\":\"2024-11-21T08:18:34.767\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in the MyCrops HiGrade \\\"THC Testing \u0026 Cannabi\\\" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivity component in some situations. NOTE: this is only exploitable on Android versions that lack runtime permission checks, and of those only Android SDK 5.1.1 API 22 is consistent with the manifest. Thus, this applies only to Android Lollipop, affecting less than five percent of Android devices as of 2023.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema en la aplicaci\u00f3n MyCrops HiGrade \\\"THC Testing \u0026amp; Cannabi\\\" 1.0.337 para Android. Un atacante remoto puede iniciar la transmisi\u00f3n de la c\u00e1mara a trav\u00e9s del componente com.cordovaplugincamerapreview.CameraActivity en algunas situaciones. NOTA: esto solo se puede explotar en versiones de Android que carecen de comprobaciones de permisos de tiempo de ejecuci\u00f3n y, de ellas, solo Android SDK 5.1.1 API 22 es coherente con el manifiesto. Por lo tanto, esto se aplica s\u00f3lo a Android Lollipop, y afectar\u00e1 a menos del cinco por ciento de los dispositivos Android a partir de 2023.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mycrops:higrade:1.0.337:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F3D3AB-302E-468B-A629-7D1FEC180109\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:google:android:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0\",\"versionEndIncluding\":\"5.1.1\",\"matchCriteriaId\":\"FC72A6B1-2BD5-4548-B495-3890C6197500\"}]}]}],\"references\":[{\"url\":\"https://github.com/actuator/cve/blob/main/CVE-2023-40040\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/actuator/cve/blob/main/CVE-2023-40040\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/actuator/cve/blob/main/CVE-2023-40040\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T18:24:54.649Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-40040\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-26T15:49:42.437265Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:android:mycrops_higrade:*:*:*:*:*:*:*:*\"], \"vendor\": \"android\", \"product\": \"mycrops_higrade\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.337\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-26T15:53:39.266Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://github.com/actuator/cve/blob/main/CVE-2023-40040\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in the MyCrops HiGrade \\\"THC Testing \u0026 Cannabi\\\" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivity component in some situations. NOTE: this is only exploitable on Android versions that lack runtime permission checks, and of those only Android SDK 5.1.1 API 22 is consistent with the manifest. Thus, this applies only to Android Lollipop, affecting less than five percent of Android devices as of 2023.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-09-11T05:59:07.526Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-40040\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-26T15:53:44.779Z\", \"dateReserved\": \"2023-08-08T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2023-09-11T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.