SB2022101441 - Multiple vulnerabilities in Samsung SmartThings 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022101441

SB2022101441 - Multiple vulnerabilities in Samsung SmartThings

Published: October 14, 2022

Security Bulletin ID SB2022101441
Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2022-39871)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in cloudNotificationManager.java. A remote attacker can access sensitive information via implicit broadcasts.


2) Improper access control (CVE-ID: CVE-2022-39865)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in ContentsSharingActivity.java. A remote attacker can access sensitive information via implicit broadcast.


3) Improper access control (CVE-ID: CVE-2022-39866)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in RegisteredEventMediator.kt. A remote attacker can access sensitive information via implicit broadcast.


4) Improper access control (CVE-ID: CVE-2022-39867)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in cloudNotificationManager.java. A remote attacker can access sensitive information via SHOW_PERSISTENT_BANNER broadcast.


5) Improper access control (CVE-ID: CVE-2022-39868)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in GedSamsungAccount.kt. A remote attacker can access sensitive information via implicit broadcast.


6) Improper access control (CVE-ID: CVE-2022-39869)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in cloudNotificationManager.java. A remote attacker can access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.


7) Improper access control (CVE-ID: CVE-2022-39870)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in cloudNotificationManager.java. A remote attacker can access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.


Remediation

Install update from vendor's website.

References