CVE-2019-5035

CWE-307 CWE-327 — Broken Cryptographic Algorithm3 documents3 sources

Severity

9.0CRITICAL

EPSS

0.5%

top 32.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Nest CAM IQ Indoor Firmware

Timeline

PublishedAug 20

Latest updateMay 24

Description

An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker can send specially crafted packets to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages2 packages

▶NVDgoogle/nest_cam_iq_indoor_firmware4620002

▶CVEListV5nest_labsNest Labs Nest Cam IQ Indoor version 4620002

🔴Vulnerability Details

GHSA

GHSA-r4rh-rgr8-5wjr: An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002↗2022-05-24

▶

CVEList

CVE-2019-5035: An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002↗2019-08-20

▶