CVE-2023-3612 - Vulnerability Details - OpenCVE

Description

Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content.

Published: 2023-09-11

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Govee

Govee Home

unaffected

Version	Status	Constraints
`5.7.03`	affected	< 5.8.01

Configuration 1 [-]

OR	cpe:2.3:a:govee:home::::::android::*
	cpe:2.3:a:govee:home::::::iphone_os::*

No data.

No data available yet.

Remediation

Vendor Solution

Update to version 5.8.01 (released on 17.08.2023) or latest

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-44261	Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00071.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10

History

Thu, 26 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Govee Home

MITRE

Status: PUBLISHED

Assigner: SK-CERT

Published: 2023-09-11T09:04:09.924Z

Updated: 2024-09-26T14:32:25.277Z

Reserved: 2023-07-11T06:15:11.185Z

Link: CVE-2023-3612

Vulnrichment

Updated: 2024-08-02T07:01:57.140Z

NVD

Status : Modified

Published: 2023-09-11T10:15:07.603

Modified: 2024-11-21T08:17:40.140

Link: CVE-2023-3612

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3612", "assignerOrgId": "bc375322-d3d7-4481-b261-e29662236cfd", "state": "PUBLISHED", "assignerShortName": "SK-CERT", "dateReserved": "2023-07-11T06:15:11.185Z", "datePublished": "2023-09-11T09:04:09.924Z", "dateUpdated": "2024-09-26T14:32:25.277Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Android", "iOS"], "product": "Govee Home", "vendor": "Govee", "versions": [{"lessThan": "5.8.01", "status": "affected", "version": "5.7.03", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan Adamski (johnny1337.pl; jan.adamski@nask.pl)"}], "datePublic": "2023-09-11T10:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content. "}], "value": "Govee Home app has unprotected access to WebView component which can be opened by any app on\u00a0the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or\u00a0steal sensitive user data by displaying phishing content. "}], "impacts": [{"capecId": "CAPEC-98", "descriptions": [{"lang": "en", "value": "CAPEC-98 Phishing"}]}, {"capecId": "CAPEC-19", "descriptions": [{"lang": "en", "value": "CAPEC-19 Embedding Scripts within Scripts"}]}, {"capecId": "CAPEC-22", "descriptions": [{"lang": "en", "value": "CAPEC-22 Exploiting Trust in Client"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-749", "description": "CWE-749 Exposed Dangerous Method or Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bc375322-d3d7-4481-b261-e29662236cfd", "shortName": "SK-CERT", "dateUpdated": "2023-09-13T06:17:09.814Z"}, "references": [{"url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to version 5.8.01 (released on 17.08.2023) or latest"}], "value": "Update to version 5.8.01 (released on 17.08.2023) or latest"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2023-07-10T11:00:00.000Z", "value": "Received information about vulnerability from a security researcher - Jan Adamski (johnny1337.pl; jan.adamski@nask.pl)"}, {"lang": "en", "time": "2023-07-11T11:39:00.000Z", "value": "Initial notification of the vendor"}, {"lang": "en", "time": "2023-08-03T13:25:00.000Z", "value": "Vendor confirmed the receipt of vulnerability report"}, {"lang": "en", "time": "2023-08-10T13:25:00.000Z", "value": "Vendor informed about security update being released on 17.08.2023"}, {"lang": "en", "time": "2023-08-17T00:00:00.000Z", "value": "Updated version of the application released"}], "title": "Unprotected WebView access in Govee Home App", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.140Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-26T14:32:16.829725Z", "id": "CVE-2023-3612", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T14:32:25.277Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.140Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3612", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-26T14:32:16.829725Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T14:32:21.404Z"}}], "cna": {"title": "Unprotected WebView access in Govee Home App", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan Adamski (johnny1337.pl; jan.adamski@nask.pl)"}], "impacts": [{"capecId": "CAPEC-98", "descriptions": [{"lang": "en", "value": "CAPEC-98 Phishing"}]}, {"capecId": "CAPEC-19", "descriptions": [{"lang": "en", "value": "CAPEC-19 Embedding Scripts within Scripts"}]}, {"capecId": "CAPEC-22", "descriptions": [{"lang": "en", "value": "CAPEC-22 Exploiting Trust in Client"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Govee", "product": "Govee Home", "versions": [{"status": "affected", "version": "5.7.03", "lessThan": "5.8.01", "versionType": "custom"}], "platforms": ["Android", "iOS"], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-07-10T11:00:00.000Z", "value": "Received information about vulnerability from a security researcher - Jan Adamski (johnny1337.pl; jan.adamski@nask.pl)"}, {"lang": "en", "time": "2023-07-11T11:39:00.000Z", "value": "Initial notification of the vendor"}, {"lang": "en", "time": "2023-08-03T13:25:00.000Z", "value": "Vendor confirmed the receipt of vulnerability report"}, {"lang": "en", "time": "2023-08-10T13:25:00.000Z", "value": "Vendor informed about security update being released on 17.08.2023"}, {"lang": "en", "time": "2023-08-17T00:00:00.000Z", "value": "Updated version of the application released"}], "solutions": [{"lang": "en", "value": "Update to version 5.8.01 (released on 17.08.2023) or latest", "supportingMedia": [{"type": "text/html", "value": "Update to version 5.8.01 (released on 17.08.2023) or latest", "base64": false}]}], "datePublic": "2023-09-11T10:30:00.000Z", "references": [{"url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Govee Home app has unprotected access to WebView component which can be opened by any app on\u00a0the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or\u00a0steal sensitive user data by displaying phishing content. ", "supportingMedia": [{"type": "text/html", "value": "Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-749", "description": "CWE-749 Exposed Dangerous Method or Function"}]}], "providerMetadata": {"orgId": "bc375322-d3d7-4481-b261-e29662236cfd", "shortName": "SK-CERT", "dateUpdated": "2023-09-13T06:17:09.814Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3612", "state": "PUBLISHED", "dateUpdated": "2024-09-26T14:32:25.277Z", "dateReserved": "2023-07-11T06:15:11.185Z", "assignerOrgId": "bc375322-d3d7-4481-b261-e29662236cfd", "datePublished": "2023-09-11T09:04:09.924Z", "assignerShortName": "SK-CERT"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:govee:home:*:*:*:*:*:android:*:*", "matchCriteriaId": "A620D3FC-BFD8-4142-B655-C1115D8871FF", "versionEndExcluding": "5.8.01", "vulnerable": true}, {"criteria": "cpe:2.3:a:govee:home:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "C81C8BA3-1AE7-4FC3-B52A-273210034903", "versionEndExcluding": "5.8.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Govee Home app has unprotected access to WebView component which can be opened by any app on\u00a0the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or\u00a0steal sensitive user data by displaying phishing content. "}, {"lang": "es", "value": "La aplicaci\u00f3n Govee Home tiene acceso desprotegido al componente WebView que puede abrir cualquier aplicaci\u00f3n en el dispositivo. Al enviar una URL a un sitio manipulado, el atacante puede ejecutar JavaScript en el contexto de WebView o robar datos confidenciales del usuario mostrando contenido de phishing."}], "id": "CVE-2023-3612", "lastModified": "2024-11-21T08:17:40.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "incident@nbu.gov.sk", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-11T10:15:07.603", "references": [{"source": "incident@nbu.gov.sk", "tags": ["Third Party Advisory"], "url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"}], "sourceIdentifier": "incident@nbu.gov.sk", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}], "source": "incident@nbu.gov.sk", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}