CVE-2020-10876 - Vulnerability Details - OpenCVE

The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute force the four-digit verification code in order to bypass email verification and change the password of a victim account.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mica	Fingerprint Bluetooth Padlock Fb50
Oklok Project	Oklok

Configuration 1 [-]

AND

cpe:2.3:a:oklok_project:oklok:3.1.1:*:*:*:*:iphone_os:*:*

cpe:2.3:h:mica:fingerprint_bluetooth_padlock_fb50:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://apps.apple.com/us/app/oklok/id1392287771
https://github.com/fierceoj/ownklok

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-04T13:09:47

Updated: 2024-08-04T11:14:15.614Z

Reserved: 2020-03-23T00:00:00

Link: CVE-2020-10876

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-05-04T14:15:13.077

Modified: 2024-11-21T04:56:16.210

Link: CVE-2020-10876

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute force the four-digit verification code in order to bypass email verification and change the password of a victim account."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-04T20:54:39", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://apps.apple.com/us/app/oklok/id1392287771"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/fierceoj/ownklok"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-10876", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute force the four-digit verification code in order to bypass email verification and change the password of a victim account."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://apps.apple.com/us/app/oklok/id1392287771", "refsource": "MISC", "url": "https://apps.apple.com/us/app/oklok/id1392287771"}, {"name": "https://github.com/fierceoj/ownklok", "refsource": "MISC", "url": "https://github.com/fierceoj/ownklok"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:14:15.614Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://apps.apple.com/us/app/oklok/id1392287771"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/fierceoj/ownklok"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-10876", "datePublished": "2020-05-04T13:09:47", "dateReserved": "2020-03-23T00:00:00", "dateUpdated": "2024-08-04T11:14:15.614Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oklok_project:oklok:3.1.1:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "BD4A4E73-78DE-4A92-B729-F425AF47CDEB", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mica:fingerprint_bluetooth_padlock_fb50:-:*:*:*:*:*:*:*", "matchCriteriaId": "BBE92003-9390-4996-8851-7B736C7593DC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute force the four-digit verification code in order to bypass email verification and change the password of a victim account."}, {"lang": "es", "value": "La aplicaci\u00f3n m\u00f3vil complementaria OKLOK (versi\u00f3n 3.1.1) para Fingerprint Bluetooth Padlock FB50 (versi\u00f3n 2.3), no implementa correctamente su tiempo de espera en el c\u00f3digo de verificaci\u00f3n de cuatro d\u00edgitos que se requiere para restablecer las contrase\u00f1as, ni restringe apropiadamente los intentos de verificaci\u00f3n excesiva. Esto permite a un atacante forzar bruscamente el c\u00f3digo de verificaci\u00f3n de cuatro d\u00edgitos para omitir la verificaci\u00f3n de correo electr\u00f3nico y cambiar la contrase\u00f1a de una cuenta v\u00edctima."}], "id": "CVE-2020-10876", "lastModified": "2024-11-21T04:56:16.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-04T14:15:13.077", "references": [{"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://apps.apple.com/us/app/oklok/id1392287771"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/fierceoj/ownklok"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://apps.apple.com/us/app/oklok/id1392287771"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/fierceoj/ownklok"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}