CVE-2022-39176

6 documents6 sources

Severity

8.8HIGH

EPSS

0.1%

top 69.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bluez Bluez Canonical Ubuntu Linux Debian Debian Linux

Timeline

PublishedSep 2

Latest updateSep 3

Description

BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDbluez/bluez< 5.59

▶Debianbluez< 5.55-3.1+deb11u2+3

Also affects: Debian Linux 10.0, Ubuntu Linux 18.04, 20.04

Patches

Patch: bugs.launchpad.net ↗Patch: bugs.launchpad.net ↗

🔴Vulnerability Details

GHSA

GHSA-4hw3-29f2-2c2f: BlueZ before 5↗2022-09-03

▶

CVEList

CVE-2022-39176: BlueZ before 5↗2022-09-02

▶

OSV

CVE-2022-39176: BlueZ before 5↗2022-09-02

▶

📋Vendor Advisories

Red Hat

bluez: BlueZ allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len↗2022-09-02

▶

Debian

CVE-2022-39176: bluez - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive info...↗2022

▶