6.3

CVE-2023-45866

EPSS 28.27%
Published 08.12.2023 06:15:45
Last modified 12.12.2024 14:33:00
Source cve@mitre.org
Teams watchlist Login
Open Login

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

Affected products Warnungen 0 Metrics 2 CWE 1 References 16

Data is provided by the National Vulnerability Database (NVD)

Google ≫ Android Version4.2.2

Bluproducts ≫ Dash Version3.5

Google ≫ Android Version6.0.1

Google ≫ Nexus 5 Version-

Google ≫ Android Version10.0

Google ≫ Pixel 2 Version-

Google ≫ Android Version11.0

Google ≫ Pixel 2 Version-

Google ≫ Android Version13.0

Google ≫ Pixel 4a Version-
Google ≫ Pixel 6 Version-

Google ≫ Android Version14.0

Google ≫ Pixel 7 Version-

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version20.04 SwEdition-

Canonical ≫ Ubuntu Linux Version22.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version23.10

Apple ≫ iPhone OS Version16.6

Apple ≫ Iphone Se Version-

Apple ≫ macOS Version12.6.7

Apple ≫ Macbook Air Version2017

Apple ≫ macOS Version13.3.3

Apple ≫ Macbook Pro Versionm2

Fedoraproject ≫ Fedora Version38

Fedoraproject ≫ Fedora Version39

Apple ≫ iPadOS Version < 17.2

Apple ≫ iPhone OS Version < 17.2

Apple ≫ macOS Version >= 14.0 < 14.2

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	28.27%	0.964

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.3	2.8	3.4	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://bluetooth.com

Not Applicable

https://support.apple.com/kb/HT214036

Third Party Advisory

http://seclists.org/fulldisclosure/2023/Dec/9

Third Party Advisory

Mailing List

http://changelogs.ubuntu.com/changelogs/pool/main/b/bluez/bluez_5.64-0ubuntu1/changelog

Release Notes

http://seclists.org/fulldisclosure/2023/Dec/7

Third Party Advisory

Mailing List

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675

Patch

Mailing List

https://github.com/skysafe/reblog/tree/main/cve-2023-45866

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/12/msg00011.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/77YQQS5FXPYE6WBBZO3REFIRAUJHERFA/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2N2P5LMP3V7IJONALV2KOFL4NUU23CJ/

Mailing List

https://security.gentoo.org/glsa/202401-03

https://support.apple.com/kb/HT214035

Third Party Advisory

https://www.debian.org/security/2023/dsa-5584

https://nvd.nist.gov/vuln/detail/CVE-2023-45866

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-45866

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-45866

EUVD