Vulnerabilites related to Espressif - ESP32
cve-2021-41104
Vulnerability from cvelistv5
Published
2021-09-28 15:15
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm | x_refsource_CONFIRM | |
| https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e | x_refsource_MISC | |
| https://github.com/esphome/esphome/releases/tag/2021.9.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "esphome",
"vendor": "esphome",
"versions": [
{
"status": "affected",
"version": "\u003c 2021.9.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username \u0026 password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-28T15:15:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"
}
],
"source": {
"advisory": "GHSA-48mj-p7x2-5jfm",
"discovery": "UNKNOWN"
},
"title": "web_server allows OTA update without checking user defined basic auth username \u0026 password",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41104",
"STATE": "PUBLIC",
"TITLE": "web_server allows OTA update without checking user defined basic auth username \u0026 password"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "esphome",
"version": {
"version_data": [
{
"version_value": "\u003c 2021.9.2"
}
]
}
}
]
},
"vendor_name": "esphome"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username \u0026 password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-306: Missing Authentication for Critical Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm",
"refsource": "CONFIRM",
"url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"
},
{
"name": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e",
"refsource": "MISC",
"url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"
},
{
"name": "https://github.com/esphome/esphome/releases/tag/2021.9.2",
"refsource": "MISC",
"url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"
}
]
},
"source": {
"advisory": "GHSA-48mj-p7x2-5jfm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41104",
"datePublished": "2021-09-28T15:15:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13595
Vulnerability from cvelistv5
Published
2020-08-31 14:59
Modified
2024-08-04 12:25
Severity ?
EPSS score ?
Summary
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target's BLE stack) by sending a crafted sequence of BLE packets.
References
| ▼ | URL | Tags |
|---|---|---|
| https://asset-group.github.io/disclosures/sweyntooth/ | x_refsource_MISC | |
| https://asset-group.github.io/cves.html | x_refsource_MISC | |
| https://github.com/espressif/esp32-bt-lib | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:25:16.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target\u0027s BLE stack) by sending a crafted sequence of BLE packets."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-31T14:59:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13595",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target\u0027s BLE stack) by sending a crafted sequence of BLE packets."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://asset-group.github.io/disclosures/sweyntooth/",
"refsource": "MISC",
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"name": "https://asset-group.github.io/cves.html",
"refsource": "MISC",
"url": "https://asset-group.github.io/cves.html"
},
{
"name": "https://github.com/espressif/esp32-bt-lib",
"refsource": "MISC",
"url": "https://github.com/espressif/esp32-bt-lib"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13595",
"datePublished": "2020-08-31T14:59:57",
"dateReserved": "2020-05-26T00:00:00",
"dateUpdated": "2024-08-04T12:25:16.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-34173
Vulnerability from cvelistv5
Published
2021-07-14 18:32
Modified
2024-08-04 00:05
Severity ?
EPSS score ?
Summary
An attacker can cause a Denial of Service and kernel panic in v4.2 and earlier versions of Espressif esp32 via a malformed beacon csa frame. The device requires a reboot to recover.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/E7mer | x_refsource_MISC | |
| https://github.com/E7mer/OWFuzz | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:52.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/E7mer"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/E7mer/OWFuzz"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can cause a Denial of Service and kernel panic in v4.2 and earlier versions of Espressif esp32 via a malformed beacon csa frame. The device requires a reboot to recover."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-14T18:32:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/E7mer"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/E7mer/OWFuzz"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-34173",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker can cause a Denial of Service and kernel panic in v4.2 and earlier versions of Espressif esp32 via a malformed beacon csa frame. The device requires a reboot to recover."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/E7mer",
"refsource": "MISC",
"url": "https://github.com/E7mer"
},
{
"name": "https://github.com/E7mer/OWFuzz",
"refsource": "MISC",
"url": "https://github.com/E7mer/OWFuzz"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-34173",
"datePublished": "2021-07-14T18:32:54",
"dateReserved": "2021-06-07T00:00:00",
"dateUpdated": "2024-08-04T00:05:52.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-27840
Vulnerability from cvelistv5
Published
2025-03-08 00:00
Modified
2025-05-12 15:33
Severity ?
EPSS score ?
Summary
Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory).
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T15:04:13.290734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T15:33:14.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ESP32",
"vendor": "Espressif",
"versions": [
{
"status": "affected",
"version": "2025-03-06",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "CWE-912 Hidden Functionality",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T17:03:29.921Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/TarlogicSecurity/Talks/blob/main/2025_RootedCon_BluetoothTools.pdf"
},
{
"url": "https://x.com/pascal_gujer/status/1898442439704158276"
},
{
"url": "https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/"
},
{
"url": "https://www.bleepingcomputer.com/news/security/undocumented-backdoor-found-in-bluetooth-chip-used-by-a-billion-devices/"
},
{
"url": "https://reg.rootedcon.com/cfp/schedule/talk/5"
},
{
"url": "https://flyingpenguin.com/?p=67838"
},
{
"url": "https://github.com/em0gi/CVE-2025-27840"
},
{
"url": "https://github.com/orgs/espruino/discussions/7699"
},
{
"url": "https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/"
},
{
"url": "https://darkmentor.com/blog/esp32_non-backdoor/"
},
{
"url": "https://news.ycombinator.com/item?id=43308740"
},
{
"url": "https://news.ycombinator.com/item?id=43301369"
},
{
"url": "https://github.com/esphome/esphome/discussions/8382"
},
{
"url": "https://cheriot.org/auditing/backdoor/2025/03/09/no-esp32-style-backdoor.html"
},
{
"url": "https://www.espressif.com/en/news/Response_ESP32_Bluetooth"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-27840",
"datePublished": "2025-03-08T00:00:00.000Z",
"dateReserved": "2025-03-08T00:00:00.000Z",
"dateUpdated": "2025-05-12T15:33:14.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-28136
Vulnerability from cvelistv5
Published
2021-09-07 05:52
Modified
2024-08-03 21:33
Severity ?
EPSS score ?
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/espressif/esp-idf | x_refsource_MISC | |
| https://github.com/espressif/esp32-bt-lib | x_refsource_MISC | |
| https://www.espressif.com/en/products/socs/esp32 | x_refsource_MISC | |
| https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T05:52:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif/esp-idf",
"refsource": "MISC",
"url": "https://github.com/espressif/esp-idf"
},
{
"name": "https://github.com/espressif/esp32-bt-lib",
"refsource": "MISC",
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"name": "https://www.espressif.com/en/products/socs/esp32",
"refsource": "MISC",
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"name": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf",
"refsource": "MISC",
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28136",
"datePublished": "2021-09-07T05:52:46",
"dateReserved": "2021-03-11T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13594
Vulnerability from cvelistv5
Published
2020-08-31 14:58
Modified
2024-08-04 12:25
Severity ?
EPSS score ?
Summary
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet.
References
| ▼ | URL | Tags |
|---|---|---|
| https://asset-group.github.io/disclosures/sweyntooth/ | x_refsource_MISC | |
| https://asset-group.github.io/cves.html | x_refsource_MISC | |
| https://github.com/espressif/esp32-bt-lib | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:25:16.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-31T14:58:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13594",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://asset-group.github.io/disclosures/sweyntooth/",
"refsource": "MISC",
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"name": "https://asset-group.github.io/cves.html",
"refsource": "MISC",
"url": "https://asset-group.github.io/cves.html"
},
{
"name": "https://github.com/espressif/esp32-bt-lib",
"refsource": "MISC",
"url": "https://github.com/espressif/esp32-bt-lib"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13594",
"datePublished": "2020-08-31T14:58:25",
"dateReserved": "2020-05-26T00:00:00",
"dateUpdated": "2024-08-04T12:25:16.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-28139
Vulnerability from cvelistv5
Published
2021-09-07 06:27
Modified
2024-08-03 21:33
Severity ?
EPSS score ?
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/espressif/esp-idf | x_refsource_MISC | |
| https://github.com/espressif/esp32-bt-lib | x_refsource_MISC | |
| https://www.espressif.com/en/products/socs/esp32 | x_refsource_MISC | |
| https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T06:27:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28139",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif/esp-idf",
"refsource": "MISC",
"url": "https://github.com/espressif/esp-idf"
},
{
"name": "https://github.com/espressif/esp32-bt-lib",
"refsource": "MISC",
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"name": "https://www.espressif.com/en/products/socs/esp32",
"refsource": "MISC",
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"name": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf",
"refsource": "MISC",
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28139",
"datePublished": "2021-09-07T06:27:53",
"dateReserved": "2021-03-11T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-09-07 07:15
Modified
2024-11-21 05:59
Severity ?
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Technical Description, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp-idf | Product, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp32-bt-lib | Product, Third Party Advisory | |
| cve@mitre.org | https://www.espressif.com/en/products/socs/esp32 | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp-idf | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp32-bt-lib | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.espressif.com/en/products/socs/esp32 | Product, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFF8C3F9-F42A-48FF-ADBF-E09B7D7B5550",
"versionEndIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."
},
{
"lang": "es",
"value": "La implementaci\u00f3n de Bluetooth Classic en Espressif ESP-IDF versiones 4.4 y anteriores, no restringe apropiadamente la P\u00e1gina de Funcionalidades tras la recepci\u00f3n de un paquete LMP de Funci\u00f3n de Respuesta Ampliada, permitiendo a atacantes en el rango de radio desencadenar una ejecuci\u00f3n de c\u00f3digo arbitrario en ESP32 por medio de una carga de bits de Funcionalidades Ampliadas dise\u00f1ada"
}
],
"id": "CVE-2021-28139",
"lastModified": "2024-11-21T05:59:09.813",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T07:15:06.877",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-31 15:15
Modified
2024-11-21 05:01
Severity ?
Summary
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://asset-group.github.io/cves.html | Third Party Advisory | |
| cve@mitre.org | https://asset-group.github.io/disclosures/sweyntooth/ | Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp32-bt-lib | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asset-group.github.io/cves.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asset-group.github.io/disclosures/sweyntooth/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp32-bt-lib | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C54B320-683C-4645-86DC-65CE4FA1EAB4",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet."
},
{
"lang": "es",
"value": "La implementaci\u00f3n del controlador Bluetooth Low Energy (BLE) en Espressif ESP-IDF versiones 4.2 y anteriores (para dispositivos ESP32) no restringe apropiadamente el campo channel map del paquete de petici\u00f3n de conexi\u00f3n en la recepci\u00f3n, permitiendo a unos atacantes en el radio de alcance causar una denegaci\u00f3n de servicio (bloqueo) por medio de un paquete dise\u00f1ado"
}
],
"id": "CVE-2020-13594",
"lastModified": "2024-11-21T05:01:34.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-31T15:15:10.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-31 15:15
Modified
2024-11-21 05:01
Severity ?
Summary
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target's BLE stack) by sending a crafted sequence of BLE packets.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://asset-group.github.io/cves.html | Third Party Advisory | |
| cve@mitre.org | https://asset-group.github.io/disclosures/sweyntooth/ | Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp32-bt-lib | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asset-group.github.io/cves.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asset-group.github.io/disclosures/sweyntooth/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp32-bt-lib | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8034F36-3371-4111-AE71-573B85934B20",
"versionEndIncluding": "4.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target\u0027s BLE stack) by sending a crafted sequence of BLE packets."
},
{
"lang": "es",
"value": "La implementaci\u00f3n del controlador Bluetooth Low Energy (BLE) en Espressif ESP-IDF versiones 4.0 hasta 4.2 (para dispositivos ESP32) devuelve el n\u00famero errado de paquetes BLE completados y desencadena una aserci\u00f3n alcanzable en la pila del host cuando est\u00e1 recibiendo un paquete con un fallo de MIC. Un atacante dentro del radio de alcance puede desencadenar silenciosamente la aserci\u00f3n (que deshabilita la pila BLE del objetivo) al enviar una secuencia de paquetes BLE dise\u00f1ada"
}
],
"id": "CVE-2020-13595",
"lastModified": "2024-11-21T05:01:34.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-31T15:15:10.680",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-28 16:15
Modified
2024-11-21 06:25
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/esphome/esphome/releases/tag/2021.9.2 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/esphome/esphome/releases/tag/2021.9.2 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:esphome:esphome_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "731C3CD3-0010-4AD8-9622-D7B79FB08EE5",
"versionEndExcluding": "2021.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:espressif:esp8266:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0A1C8D90-B27E-4E82-8A72-E1FF3FABA1A0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username \u0026 password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`."
},
{
"lang": "es",
"value": "ESPHome es un sistema para controlar el ESP8266/ESP32. Cualquiera que tenga web_server habilitado y la autenticaci\u00f3n b\u00e1sica HTTP configurada en la versi\u00f3n 2021.9.1 o anterior, es vulnerable a un problema en el que \"web_server\" permite actualizaciones over-the-air (OTA) sin comprobar el nombre de usuario y la contrase\u00f1a de autenticaci\u00f3n b\u00e1sica definidos por el usuario. Este problema ha sido parcheado en la versi\u00f3n 2021.9.2. Como soluci\u00f3n, se puede deshabilitar o eliminar \"web_server\""
}
],
"id": "CVE-2021-41104",
"lastModified": "2024-11-21T06:25:28.620",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-28T16:15:08.413",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-08 20:15
Modified
2025-03-12 14:58
Severity ?
6.8 (Medium) - CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Summary
Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| espressif | esp32_firmware | - | |
| espressif | esp32 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:espressif:esp32_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C81AEA93-C163-4E5C-A25D-D2903742C9EE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory)."
},
{
"lang": "es",
"value": "Los chips Espressif ESP32 permiten 29 comandos HCI ocultos, como 0xFC02 (Escribir memoria)."
}
],
"id": "CVE-2025-27840",
"lastModified": "2025-03-12T14:58:54.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.3,
"impactScore": 6.0,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-08T20:15:36.027",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"Technical Description"
],
"url": "https://cheriot.org/auditing/backdoor/2025/03/09/no-esp32-style-backdoor.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"Technical Description"
],
"url": "https://darkmentor.com/blog/esp32_non-backdoor/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"Technical Description"
],
"url": "https://flyingpenguin.com/?p=67838"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/TarlogicSecurity/Talks/blob/main/2025_RootedCon_BluetoothTools.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/em0gi/CVE-2025-27840"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/esphome/esphome/discussions/8382"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/orgs/espruino/discussions/7699"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=43301369"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=43308740"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://reg.rootedcon.com/cfp/schedule/talk/5"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Press/Media Coverage"
],
"url": "https://www.bleepingcomputer.com/news/security/undocumented-backdoor-found-in-bluetooth-chip-used-by-a-billion-devices/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Press/Media Coverage"
],
"url": "https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/"
},
{
"source": "cve@mitre.org",
"tags": [
"Press/Media Coverage"
],
"url": "https://www.espressif.com/en/news/Response_ESP32_Bluetooth"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://x.com/pascal_gujer/status/1898442439704158276"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-912"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-07 06:15
Modified
2024-11-21 05:59
Severity ?
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Technical Description, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp-idf | Product, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp32-bt-lib | Product, Third Party Advisory | |
| cve@mitre.org | https://www.espressif.com/en/products/socs/esp32 | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp-idf | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp32-bt-lib | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.espressif.com/en/products/socs/esp32 | Product, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFF8C3F9-F42A-48FF-ADBF-E09B7D7B5550",
"versionEndIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet."
},
{
"lang": "es",
"value": "Una implementaci\u00f3n de Bluetooth Classic en Espressif ESP-IDF versiones 4.4 y anteriores, no maneja apropiadamente la recepci\u00f3n de m\u00faltiples paquetes de petici\u00f3n de capacidad LMP IO durante el proceso de emparejamiento, permitiendo a atacantes en el rango de radio desencadenar una corrupci\u00f3n de la memoria (y en consecuencia un bloqueo) en el ESP32 por medio de un paquete LMP reproducido (duplicado)"
}
],
"id": "CVE-2021-28136",
"lastModified": "2024-11-21T05:59:09.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T06:15:07.330",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-14 19:15
Modified
2024-11-21 06:09
Severity ?
Summary
An attacker can cause a Denial of Service and kernel panic in v4.2 and earlier versions of Espressif esp32 via a malformed beacon csa frame. The device requires a reboot to recover.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/E7mer | Third Party Advisory | |
| cve@mitre.org | https://github.com/E7mer/OWFuzz | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/E7mer | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/E7mer/OWFuzz | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| espressif | esp32_firmware | * | |
| espressif | esp32 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:espressif:esp32_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B713BF71-FBA4-4AE4-9105-8DD7EA1C8C7D",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker can cause a Denial of Service and kernel panic in v4.2 and earlier versions of Espressif esp32 via a malformed beacon csa frame. The device requires a reboot to recover."
},
{
"lang": "es",
"value": "Un atacante puede causar una Denegaci\u00f3n de Servicio y un p\u00e1nico del kernel en versi\u00f3n v4.2 y versiones anteriores de Espressif esp32 por medio de un marco csa de beacon malformado. El dispositivo requiere un reinicio para recuperarse"
}
],
"id": "CVE-2021-34173",
"lastModified": "2024-11-21T06:09:58.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-14T19:15:07.813",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/E7mer"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/E7mer/OWFuzz"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/E7mer"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/E7mer/OWFuzz"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}