CVE-2023-3612 - OpenCVE

Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Govee	Home

Configuration 1 [-]

OR	cpe:2.3:a:govee:home::::::android::*
	cpe:2.3:a:govee:home::::::iphone_os::*

No data.

References

Link	Providers
https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10

History

No history.

MITRE

Status: PUBLISHED

Assigner: SK-CERT

Published: 2023-09-11T09:04:09.924Z

Updated: 2024-08-02T07:01:57.140Z

Reserved: 2023-07-11T06:15:11.185Z

Link: CVE-2023-3612

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-11T10:15:07.603

Modified: 2023-09-13T17:53:49.923

Link: CVE-2023-3612

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3612", "assignerOrgId": "bc375322-d3d7-4481-b261-e29662236cfd", "state": "PUBLISHED", "assignerShortName": "SK-CERT", "dateReserved": "2023-07-11T06:15:11.185Z", "datePublished": "2023-09-11T09:04:09.924Z", "dateUpdated": "2024-08-02T07:01:57.140Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Android", "iOS"], "product": "Govee Home", "vendor": "Govee", "versions": [{"lessThan": "5.8.01", "status": "affected", "version": "5.7.03", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan Adamski (johnny1337.pl; jan.adamski@nask.pl)"}], "datePublic": "2023-09-11T10:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content. "}], "value": "Govee Home app has unprotected access to WebView component which can be opened by any app on\u00a0the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or\u00a0steal sensitive user data by displaying phishing content. "}], "impacts": [{"capecId": "CAPEC-98", "descriptions": [{"lang": "en", "value": "CAPEC-98 Phishing"}]}, {"capecId": "CAPEC-19", "descriptions": [{"lang": "en", "value": "CAPEC-19 Embedding Scripts within Scripts"}]}, {"capecId": "CAPEC-22", "descriptions": [{"lang": "en", "value": "CAPEC-22 Exploiting Trust in Client"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-749", "description": "CWE-749 Exposed Dangerous Method or Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bc375322-d3d7-4481-b261-e29662236cfd", "shortName": "SK-CERT", "dateUpdated": "2023-09-13T06:17:09.814Z"}, "references": [{"url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to version 5.8.01 (released on 17.08.2023) or latest"}], "value": "Update to version 5.8.01 (released on 17.08.2023) or latest"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2023-07-10T11:00:00.000Z", "value": "Received information about vulnerability from a security researcher - Jan Adamski (johnny1337.pl; jan.adamski@nask.pl)"}, {"lang": "en", "time": "2023-07-11T11:39:00.000Z", "value": "Initial notification of the vendor"}, {"lang": "en", "time": "2023-08-03T13:25:00.000Z", "value": "Vendor confirmed the receipt of vulnerability report"}, {"lang": "en", "time": "2023-08-10T13:25:00.000Z", "value": "Vendor informed about security update being released on 17.08.2023"}, {"lang": "en", "time": "2023-08-17T00:00:00.000Z", "value": "Updated version of the application released"}], "title": "Unprotected WebView access in Govee Home App", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.140Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:govee:home:*:*:*:*:*:android:*:*", "matchCriteriaId": "A620D3FC-BFD8-4142-B655-C1115D8871FF", "versionEndExcluding": "5.8.01", "vulnerable": true}, {"criteria": "cpe:2.3:a:govee:home:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "C81C8BA3-1AE7-4FC3-B52A-273210034903", "versionEndExcluding": "5.8.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Govee Home app has unprotected access to WebView component which can be opened by any app on\u00a0the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or\u00a0steal sensitive user data by displaying phishing content. "}, {"lang": "es", "value": "La aplicaci\u00f3n Govee Home tiene acceso desprotegido al componente WebView que puede abrir cualquier aplicaci\u00f3n en el dispositivo. Al enviar una URL a un sitio manipulado, el atacante puede ejecutar JavaScript en el contexto de WebView o robar datos confidenciales del usuario mostrando contenido de phishing."}], "id": "CVE-2023-3612", "lastModified": "2023-09-13T17:53:49.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "incident@nbu.gov.sk", "type": "Secondary"}]}, "published": "2023-09-11T10:15:07.603", "references": [{"source": "incident@nbu.gov.sk", "tags": ["Third Party Advisory"], "url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"}], "sourceIdentifier": "incident@nbu.gov.sk", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-749"}], "source": "incident@nbu.gov.sk", "type": "Secondary"}]}