github - ghsa-rjr7-mrw5-5m4x

GHSA-RJR7-MRW5-5M4X

Vulnerability from github – Published: 2025-03-27 09:30 – Updated: 2025-03-27 09:30

Details

A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-45361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T08:15:17Z",
    "severity": "MODERATE"
  },
  "details": "A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information.",
  "id": "GHSA-rjr7-mrw5-5m4x",
  "modified": "2025-03-27T09:30:31Z",
  "published": "2025-03-27T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45361"
    },
    {
      "type": "WEB",
      "url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=558"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2024-45361 (GCVE-0-2024-45361)

Vulnerability from cvelistv5 – Published: 2025-03-27 07:16 – Updated: 2025-06-23 09:43

Summary

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Assigner

Xiaomi

References

URL

Tags

https://trust.mi.com/zh-CN/misrc/bulletins/adviso…

Impacted products

	Vendor	Product	Version
	Xiaomi	Xiaomi Mi Connect Service	Affected: Xiaomi Mi Connect Service3.1.895.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45361",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T13:30:58.813684Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T13:31:06.739Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Xiaomi Mi Connect Service",
          "vendor": "Xiaomi",
          "versions": [
            {
              "status": "affected",
              "version": "Xiaomi Mi Connect Service3.1.895.10"
            }
          ]
        }
      ],
      "datePublic": "2025-03-27T09:43:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information.   \u003cbr\u003e"
            }
          ],
          "value": "A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-157",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-157 Sniffing Attacks"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319 Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-23T09:43:27.193Z",
        "orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909",
        "shortName": "Xiaomi"
      },
      "references": [
        {
          "url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=558"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Mi Connect Service APP protocol flaws lead to leaking sensitive user information",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909",
    "assignerShortName": "Xiaomi",
    "cveId": "CVE-2024-45361",
    "datePublished": "2025-03-27T07:16:21.898Z",
    "dateReserved": "2024-08-28T02:24:48.946Z",
    "dateUpdated": "2025-06-23T09:43:27.193Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-RJR7-MRW5-5M4X

CVE-2024-45361 (GCVE-0-2024-45361)

Tags

Sightings

Nomenclature