CVE-2023-42189
HIGHTapo Mini Smart Wi-fi Plug Firmware - Incorrect Permission Assignment
Title source: ruleDescription
Insecure Permissions vulnerability in Connectivity Standards Alliance Matter Official SDK v.1.1.0.0 , Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030, and yeelight smart lamp v.1.12.69 allows a remote attacker to cause a denial of service via a crafted script to the KeySetRemove function.
References (3)
Core 3
Core References
Third Party Advisory
https://github.com/IoT-Fuzz/IoT-Fuzz/blob/main/Remove%20Key%20Set%20Vulnerability%20Report.pdf
Issue Tracking, Third Party Advisory
https://github.com/project-chip/connectedhomeip/issues/28518
Issue Tracking, Third Party Advisory
https://github.com/project-chip/connectedhomeip/issues/28679
Scores
CVSS v3
7.5
EPSS
0.0052
EPSS Percentile
67.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-732
Status
published
Products (9)
eve/eve_door_and_window_firmware
govee/led_strip_firmware
3.00.42
nanoleaf/lightstrip_firmware
3.5.10
orein/smart_bulb_firmware
phillips/hue_bridge_firmware
1.59.1959097030
switchbot/hub2_firmware
1.0-0.8
tapo/mini_smart_wi-fi_plug_firmware
tp-link/smart_plug_firmware
yeelight/smart_lamp_firmware
1.12.69
Published
Oct 10, 2023
Tracked Since
Feb 18, 2026