CVE-2024-42483

Published: Sep 12, 2024

Modified: Sep 12, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An replay attacks vulnerability was discovered in the implementation of the ESP-NOW because the caches is not differentiated by message types, it is a single, shared resource for all kinds of messages, whether they are broadcast or unicast, and regardless of whether they are ciphertext or plaintext. This can result an attacker to clear the cache of its legitimate entries, there by creating an opportunity to re-inject previously captured packets. This vulnerability is fixed in 2.5.2.

Vendor	Product	Versions
espressif	esp-now	affected `< 2.5.2`

Weaknesses (CWE)

CWE-349

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/espressif/esp-now/security/advisories/GHSA-wf6q-c2xr-77xj

x_refsource_CONFIRM

https://github.com/espressif/esp-now/commit/4e30db50d541b2909d278ef0db05de1a3d7190ef

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-42483

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References