Multiple vulnerabilities in Samsung SmartThings
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2022-39871 CVE-2022-39865 CVE-2022-39866 CVE-2022-39867 CVE-2022-39868 CVE-2022-39869 CVE-2022-39870 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SmartThings Mobile applications / Apps for mobile phones |
| Vendor | Samsung |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU68326
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39871
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in cloudNotificationManager.java. A remote attacker can access sensitive information via implicit broadcasts.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSmartThings: before 1.7.89.0
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=10
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU68333
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39865
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in ContentsSharingActivity.java. A remote attacker can access sensitive information via implicit broadcast.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSmartThings: before 1.7.89.0
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=10
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU68332
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39866
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in RegisteredEventMediator.kt. A remote attacker can access sensitive information via implicit broadcast.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSmartThings: before 1.7.89.0
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=10
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU68331
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39867
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in cloudNotificationManager.java. A remote attacker can access sensitive information via SHOW_PERSISTENT_BANNER broadcast.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSmartThings: before 1.7.89.0
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=10
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper access control
EUVDB-ID: #VU68330
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39868
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in GedSamsungAccount.kt. A remote attacker can access sensitive information via implicit broadcast.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSmartThings: before 1.7.89.0
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=10
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU68329
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39869
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in cloudNotificationManager.java. A remote attacker can access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSmartThings: before 1.7.89.0
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=10
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper access control
EUVDB-ID: #VU68327
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39870
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in cloudNotificationManager.java. A remote attacker can access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSmartThings: before 1.7.89.0
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=10
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
