CVE-2018-3927
MEDIUMSamsung STH-ETH-250 Firmware 0.20.17 - Information Disclosure via Insecure HTTPS Connection to backtrace.io
Title source: llmDescription
An exploitable information disclosure vulnerability exists in the crash handler of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. When hubCore crashes, Google Breakpad is used to record minidumps, which are sent over an insecure HTTPS connection to the backtrace.io service, leading to the exposure of sensitive data. An attacker can impersonate the remote backtrace.io server in order to trigger this vulnerability.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0594
Scores
CVSS v3
6.8
EPSS
0.0035
EPSS Percentile
57.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Details
CWE
CWE-295
Status
published
Products (1)
samsung/sth-eth-250_firmware
0.20.17
Published
Aug 27, 2018
Tracked Since
Feb 18, 2026