Vulnerability Details CVE-2023-42189
Insecure Permissions vulnerability in Connectivity Standards Alliance Matter Official SDK v.1.1.0.0 , Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030, and yeelight smart lamp v.1.12.69 allows a remote attacker to cause a denial of service via a crafted script to the KeySetRemove function.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 65.7%
CVSS Severity
CVSS v3 Score 7.5
References
- https://github.com/IoT-Fuzz/IoT-Fuzz/blob/main/Remove%20Key%20Set%20Vulnerability%20Report.pdf
- https://github.com/project-chip/connectedhomeip/issues/28518
- https://github.com/project-chip/connectedhomeip/issues/28679
- https://github.com/IoT-Fuzz/IoT-Fuzz/blob/main/Remove%20Key%20Set%20Vulnerability%20Report.pdf
- https://github.com/project-chip/connectedhomeip/issues/28518
- https://github.com/project-chip/connectedhomeip/issues/28679
Products affected by CVE-2023-42189
-
cpe:2.3:h:eve:eve_door_and_window:-
-
cpe:2.3:h:govee:led_strip:-
-
cpe:2.3:h:nanoleaf:lightstrip:-
-
cpe:2.3:h:orein:smart_bulb:-
-
cpe:2.3:h:phillips:hue_bridge:-
-
cpe:2.3:h:switchbot:hub2:-
-
cpe:2.3:h:tapo:mini_smart_wi-fi_plug:-
-
cpe:2.3:h:tp-link:smart_plug:-
-
cpe:2.3:h:yeelight:smart_lamp:-
-
cpe:2.3:o:eve:eve_door_and_window_firmware:-
-
cpe:2.3:o:govee:led_strip_firmware:3.00.42
-
cpe:2.3:o:nanoleaf:lightstrip_firmware:3.5.10
-
cpe:2.3:o:orein:smart_bulb_firmware:-
-
cpe:2.3:o:phillips:hue_bridge_firmware:1.59.1959097030
-
cpe:2.3:o:switchbot:hub2_firmware:1.0-0.8
-
cpe:2.3:o:tapo:mini_smart_wi-fi_plug_firmware:-
-
cpe:2.3:o:tp-link:smart_plug_firmware:-
-
cpe:2.3:o:yeelight:smart_lamp_firmware:1.12.69