4.3

CVE-2018-12716

EPSS 0.19%
Published 25.06.2018 02:29:00
Last modified 21.11.2024 03:45:43
Source cve@mitre.org
Teams watchlist Login
Open Login

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its local network, extracting the scan_results bssid fields, and sending these fields in a geolocation/v1/geolocate Google Maps Geolocation API request.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Google ≫ Chromecast Firmware Version-

Google ≫ Chromecast Version-

Google ≫ Home Firmware Version-

Google ≫ Home Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.19%	0.416

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	3.3	6.5	2.9	AV:A/AC:L/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://medium.com/%40brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325

https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/

Third Party Advisory

Issue Tracking

https://www.tripwire.com/state-of-security/vert/googles-newest-feature-find-my-home/

Third Party Advisory

https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-12716

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-12716

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-12716

EUVD