CVE-2021-27941

Опубликовано: 06 мая 2021

Источник: nvd

CVSS3: 4.6

CVSS2: 2.1

EPSS Низкий

Описание

Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.

Ссылки

https://apps.apple.com/us/app/ewelink-smart-home/id1035163158
Product
Third Party Advisory
https://github.com/salgio/eWeLink-QR-Code
Third Party Advisory
https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US
Product
Third Party Advisory
https://apps.apple.com/us/app/ewelink-smart-home/id1035163158
Product
Third Party Advisory
https://github.com/salgio/eWeLink-QR-Code
Third Party Advisory
https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:iphone_os:*:*

Версия до 4.9.1 (включая)

cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:android:*:*

Версия до 4.9.2 (включая)

EPSS

Процентиль: 17%

0.00054

Низкий

4.6 Medium

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-522

Связанные уязвимости

GHSA-qrrq-x7wc-w5x9