CVE-2023-45866

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-45866
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

6.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
http://changelogs.ubuntu.com/changelogs/pool/main/b/bluez/bluez_5.64-0ubuntu1/changelog Release Notes
http://seclists.org/fulldisclosure/2023/Dec/7 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2023/Dec/9 Mailing List Third Party Advisory
https://bluetooth.com Not Applicable
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675 Mailing List Patch
https://github.com/skysafe/reblog/tree/main/cve-2023-45866 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00011.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/77YQQS5FXPYE6WBBZO3REFIRAUJHERFA/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2N2P5LMP3V7IJONALV2KOFL4NUU23CJ/ Mailing List
https://security.gentoo.org/glsa/202401-03
https://support.apple.com/kb/HT214035 Third Party Advisory
https://support.apple.com/kb/HT214036 Third Party Advisory
https://www.debian.org/security/2023/dsa-5584
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*
cpe:2.3:h:bluproducts:dash:3.5:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
cpe:2.3:h:google:nexus_5:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
OR cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:11.0:*:*:*:*:*:*:*
cpe:2.3:h:google:pixel_2:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*
OR cpe:2.3:h:google:pixel_4a:-:*:*:*:*:*:*:*
cpe:2.3:h:google:pixel_6:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:h:google:pixel_7:-:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:23.10:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:apple:iphone_os:16.6:*:*:*:*:*:*:*
cpe:2.3:h:apple:iphone_se:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:apple:macos:12.6.7:*:*:*:*:*:*:*
cpe:2.3:h:apple:macbook_air:2017:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:apple:macos:13.3.3:*:*:*:*:*:*:*
cpe:2.3:h:apple:macbook_pro:m2:*:*:*:*:*:*:*

Configuration 10 (hide)

OR cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

Configuration 11 (hide)

OR cpe:2.3:o:apple:ipad_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Configuration 12 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
History

05 Jan 2024, 13:15

Type Values Removed Values Added
References
  • () https://security.gentoo.org/glsa/202401-03 -

22 Dec 2023, 01:15

Type Values Removed Values Added
References
  • () https://www.debian.org/security/2023/dsa-5584 -

18 Dec 2023, 18:41

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-08 06:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-45866

Mitre link : CVE-2023-45866

CVE.ORG link : CVE-2023-45866

JSON object : View

Products Affected

google

  • pixel_6
  • android
  • nexus_5
  • pixel_2
  • pixel_4a
  • pixel_7

bluproducts

  • dash

apple

  • macbook_pro
  • macbook_air
  • iphone_os
  • iphone_se
  • macos
  • ipad_os

fedoraproject

  • fedora

canonical

  • ubuntu_linux

debian

  • debian_linux
CWE
CWE-287

Improper Authentication