CVE-2020-26560 — Incorrect Authorization in Mesh Profile

CWE-863 — Incorrect Authorization7 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.9%

top 23.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bluetooth Mesh Profile

Timeline

PublishedMay 24

Latest updateMay 24

Description

Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages1 packages

▶NVDbluetooth/mesh_profile1.0.0, 1.0.1+1

🔴Vulnerability Details

GHSA

GHSA-8qgh-c754-3crv: Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1↗2022-05-24

▶

CVEList

CVE-2020-26560: Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1↗2021-05-24

▶

OSV

CVE-2020-26560: Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1↗2021-05-24

▶

📋Vendor Advisories

Red Hat

kernel: impersonation attack in Bluetooth Mesh Provisioning↗2021-05-24

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Multiple vulnerabilities in Synology DiskStation Manager↗2021-04-20

▶

Talos

Vulnerability Spotlight: Multiple vulnerabilities in Synology DiskStation Manager↗2021-04-20

▶