Lucene search

MitreCVE-2022-32507

HistoryMay 14, 2024 - 10:43 a.m.

CVE-2022-32507

2024-05-1410:43:41

CWE-284

mitre

web.nvd.nist.gov

cve-2022-32507

nuki home solutions

ble commands

privileged accounts

unprivileged accounts

access controls

nuki smart lock 3.0

nuki smart lock 2.0

nvd

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

JSON

An issue was discovered on certain Nuki Home Solutions devices. Some BLE commands, which should have been designed to be only called from privileged accounts, could also be called from unprivileged accounts. This demonstrates that no access controls were implemented for the different BLE commands across the different accounts. This affects Nuki Smart Lock 3.0 before 3.3.5 and Nuki Smart Lock 2.0 before 2.12.4.

References

latesthackingnews.com/2022/07/28/multiple-security-flaws-found-in-nuki-smart-locks/

nuki.io/en/security-updates/

research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/

www.hackread.com/nuki-smart-locks-vulnerabilities-plethora-attack-options/

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

JSON

Related for CVE-2022-32507