CVE-2024-47078

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-47078
Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via bluetooth). Prior to version 2.5.1, multiple weaknesses in the MQTT implementation allow for authentication and authorization bypasses resulting in unauthorized control of MQTT-connected nodes. Version 2.5.1 contains a patch.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/meshtastic/firmware/security/advisories/GHSA-vqcq-wjwx-7252 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*
History

01 Oct 2024, 18:29

Type Values Removed Values Added
CPE cpe:2.3:a:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*
First Time Meshtastic
Meshtastic meshtastic Firmware
References () https://github.com/meshtastic/firmware/security/advisories/GHSA-vqcq-wjwx-7252 - () https://github.com/meshtastic/firmware/security/advisories/GHSA-vqcq-wjwx-7252 - Third Party Advisory
CVSS v2 : unknown
v3 : 8.1 		v2 : unknown
v3 : 9.8

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Meshtastic es una red en malla descentralizada, fuera de la red y de código abierto. Meshtastic utiliza MQTT para comunicarse a través de una conexión a Internet con un servidor MQTT privado o compartido. Los nodos pueden comunicarse directamente a través de una conexión a Internet o mediante un proxy a través de un teléfono conectado (es decir, mediante Bluetooth). Antes de la versión 2.5.1, varias debilidades en la implementación de MQTT permitían eludir la autenticación y la autorización, lo que daba como resultado un control no autorizado de los nodos conectados a MQTT. La versión 2.5.1 contiene un parche.

25 Sep 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-25 16:15

Updated : 2024-10-01 18:29

NVD link : CVE-2024-47078

Mitre link : CVE-2024-47078

CVE.ORG link : CVE-2024-47078

JSON object : View

Products Affected

meshtastic

  • meshtastic_firmware
CWE
CWE-863

Incorrect Authorization

CWE-287

Improper Authentication