CVE-2022-29945

DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator's physical location via the AeroScope protocol.

CVSS v3 4.0 MEDIUM
CVSS v2.0 5.0 MEDIUM

4.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://twitter.com/StarFire2258/status/1519767091829637120	Third Party Advisory
https://twitter.com/d0tslash/status/1519774807776284672	Third Party Advisory
https://www.theverge.com/2022/4/28/23046916/dji-aeroscope-signals-not-encrypted-drone-tracking	Press/Media Coverage Third Party Advisory
https://twitter.com/StarFire2258/status/1519767091829637120	Third Party Advisory
https://twitter.com/d0tslash/status/1519774807776284672	Third Party Advisory
https://www.theverge.com/2022/4/28/23046916/dji-aeroscope-signals-not-encrypted-drone-tracking	Press/Media Coverage Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dji:mavic_3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:mavic_3:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:dji:rc_pro_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:rc_pro:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:dji:air_2s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:air_2s:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:dji:air_2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:air_2:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:dji:mini_2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:mini_2:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:dji:mini_se_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:mini_se:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:dji:fpv_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:fpv:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:dji:fhantom_4_pro_firmware:-:*:*:*:*:*:*:*

OR	cpe:2.3:h:dji:fhantom_4_pro:-:::::::*
	cpe:2.3:h:dji:fhantom_4_pro:2.0:::::::*

Configuration 9 (hide)

AND

cpe:2.3:o:dji:inspire_2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:inspire_2:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:dji:zenmuse_x7_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:zenmuse_x7:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:dji:zenmuse_x5s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dji:zenmuse_x5s:-:*:*:*:*:*:*:*

History

21 Nov 2024, 07:00

Type	Values Removed	Values Added
References	~~() https://twitter.com/StarFire2258/status/1519767091829637120 - Third Party Advisory~~	() https://twitter.com/StarFire2258/status/1519767091829637120 - Third Party Advisory
References	~~() https://twitter.com/d0tslash/status/1519774807776284672 - Third Party Advisory~~	() https://twitter.com/d0tslash/status/1519774807776284672 - Third Party Advisory
References	~~() https://www.theverge.com/2022/4/28/23046916/dji-aeroscope-signals-not-encrypted-drone-tracking - Press/Media Coverage, Third Party Advisory~~	() https://www.theverge.com/2022/4/28/23046916/dji-aeroscope-signals-not-encrypted-drone-tracking - Press/Media Coverage, Third Party Advisory
CVSS	v2 : ~~5.0~~ v3 : ~~7.5~~	v2 : 5.0 v3 : 4.0

08 Aug 2023, 14:22

Type	Values Removed	Values Added
CWE	~~CWE-311~~	CWE-319

Information

Published : 2022-04-29 20:15

Updated : 2024-11-21 07:00

NVD link : CVE-2022-29945

Mitre link : CVE-2022-29945

CVE.ORG link : CVE-2022-29945

JSON object : View

Products Affected

dji

air_2
mavic_3_firmware
inspire_2_firmware
air_2s_firmware
inspire_2
fpv
rc_pro
zenmuse_x7
air_2s
air_2_firmware
mini_2
zenmuse_x7_firmware
zenmuse_x5s_firmware
fhantom_4_pro_firmware
rc_pro_firmware
mini_2_firmware
zenmuse_x5s
mini_se_firmware
mini_se
fpv_firmware
mavic_3
fhantom_4_pro

CWE

CWE-319

Cleartext Transmission of Sensitive Information

4.0 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2022-29945

4.0^/10

5.0^/10

Attach tags to `CVE-2022-29945`