CVE-2020-10876

{"id": "CVE-2020-10876", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-05-04T14:15:13.077", "references": [{"url": "https://apps.apple.com/us/app/oklok/id1392287771", "tags": ["Product", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/fierceoj/ownklok", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute force the four-digit verification code in order to bypass email verification and change the password of a victim account."}, {"lang": "es", "value": "La aplicaci\u00f3n m\u00f3vil complementaria OKLOK (versi\u00f3n 3.1.1) para Fingerprint Bluetooth Padlock FB50 (versi\u00f3n 2.3), no implementa correctamente su tiempo de espera en el c\u00f3digo de verificaci\u00f3n de cuatro d\u00edgitos que se requiere para restablecer las contrase\u00f1as, ni restringe apropiadamente los intentos de verificaci\u00f3n excesiva. Esto permite a un atacante forzar bruscamente el c\u00f3digo de verificaci\u00f3n de cuatro d\u00edgitos para omitir la verificaci\u00f3n de correo electr\u00f3nico y cambiar la contrase\u00f1a de una cuenta v\u00edctima."}], "lastModified": "2020-05-15T18:36:41.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oklok_project:oklok:3.1.1:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "BD4A4E73-78DE-4A92-B729-F425AF47CDEB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mica:fingerprint_bluetooth_padlock_fb50:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BBE92003-9390-4996-8851-7B736C7593DC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}