CVE-2022-37193

Chipolo ONE Bluetooth tracker (2020) Chipolo iOS app version 4.13.0 is vulnerable to Incorrect Access Control. Chipolo devices suffer from access revocation evasion attacks once the malicious sharee obtains the access credentials.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://chipolo.net/en-us/products/chipolo-one-4-pack	Product
https://github.com/zhouxinan/CCS22MaaGIoT/blob/main/ChipoloONE.md	Third Party Advisory
https://chipolo.net/en-us/products/chipolo-one-4-pack	Product
https://github.com/zhouxinan/CCS22MaaGIoT/blob/main/ChipoloONE.md	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:chipolo:chipolo:4.13.0:*:*:*:*:iphone_os:*:*

cpe:2.3:h:chipolo:chipolo_one:-:*:*:*:*:*:*:*

History

21 Nov 2024, 07:14

Type	Values Removed	Values Added
References	~~() https://chipolo.net/en-us/products/chipolo-one-4-pack - Product~~	() https://chipolo.net/en-us/products/chipolo-one-4-pack - Product
References	~~() https://github.com/zhouxinan/CCS22MaaGIoT/blob/main/ChipoloONE.md - Third Party Advisory~~	() https://github.com/zhouxinan/CCS22MaaGIoT/blob/main/ChipoloONE.md - Third Party Advisory

Information

Published : 2022-09-27 23:15

Updated : 2024-11-21 07:14

NVD link : CVE-2022-37193

Mitre link : CVE-2022-37193

CVE.ORG link : CVE-2022-37193

JSON object : View

Products Affected

chipolo

chipolo_one
chipolo

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2022-37193", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}]}, "published": "2022-09-27T23:15:14.417", "references": [{"url": "https://chipolo.net/en-us/products/chipolo-one-4-pack", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/zhouxinan/CCS22MaaGIoT/blob/main/ChipoloONE.md", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://chipolo.net/en-us/products/chipolo-one-4-pack", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/zhouxinan/CCS22MaaGIoT/blob/main/ChipoloONE.md", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "Chipolo ONE Bluetooth tracker (2020) Chipolo iOS app version 4.13.0 is vulnerable to Incorrect Access Control. Chipolo devices suffer from access revocation evasion attacks once the malicious sharee obtains the access credentials."}, {"lang": "es", "value": "Chipolo ONE Bluetooth tracker (2020) Chipolo iOS app versi\u00f3n 4.13.0, es vulnerable a un Control de Acceso Incorrecto. Los dispositivos Chipolo sufren ataques de evasi\u00f3n de revocaci\u00f3n de acceso una vez que el sharee malicioso obtiene las credenciales de acceso"}], "lastModified": "2024-11-21T07:14:35.770", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chipolo:chipolo:4.13.0:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "008C5D4C-7770-4877-AD8E-DD7A7086C790"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:chipolo:chipolo_one:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DE7CC982-417C-400C-B029-AAB5E38497BC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}