CVE-2023-42189

moderate-risk
Published 2023-10-10

Insecure Permissions vulnerability in Connectivity Standards Alliance Matter Official SDK v.1.1.0.0 , Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030, and yeelight smart lamp v.1.12.69 allows a remote attacker to cause a denial of service via a crafted script to the KeySetRemove function.

Do I need to act?

-
0.52% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (9)

Mini Smart Wi-Fi Plug Firmware
Lightstrip Firmware
Led Strip Firmware
Hub2 Firmware
Hue Bridge Firmware
Smart Lamp Firmware
Smart Plug Firmware
Smart Bulb Firmware
Eve Door And Window Firmware

Affected Vendors

Tp-Link Yeelight Phillips Nanoleaf Govee Tapo Switchbot Orein Eve

References (6)

Third Party Advisory https://github.com/IoT-Fuzz/IoT-Fuzz/blob/main/Remove%20Key%20Set%20Vulnerabilit...
Issue Tracking https://github.com/project-chip/connectedhomeip/issues/28518
Issue Tracking https://github.com/project-chip/connectedhomeip/issues/28679
Third Party Advisory https://github.com/IoT-Fuzz/IoT-Fuzz/blob/main/Remove%20Key%20Set%20Vulnerabilit...
Issue Tracking https://github.com/project-chip/connectedhomeip/issues/28518
Issue Tracking https://github.com/project-chip/connectedhomeip/issues/28679
43
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 15/34 · Moderate