Back

CVE-2023-51589

May 3, 2024, 12:48 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

BlueZ

Source

zdi-disclosures@trendmicro.com

Tags

zdi-disclosures@trendmicro.com
CWE-125
2024-05-03
CVE-2023-51589

CVE-2023-51589 details

Published : May 3, 2024, 3:16 a.m.
Last Modified : May 3, 2024, 12:48 p.m.

Description

BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20853.

CVSS Score

1 2 3 4 5.4 6 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

Base Score

5.4

Exploitability Score

Impact Score

Base Severity

MEDIUM

Vector String : CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L

References

URL Source
https://www.zerodayinitiative.com/advisories/ZDI-23-1904/ zdi-disclosures@trendmicro.com
This website uses the NVD API, but is not approved or certified by it.