#VU100950 Input validation error in Apache NimBLE - CVE-2024-47249

Cybersecurity Help s.r.o.

Published: 2024-11-26

Vulnerability identifier: #VU100950

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-47249

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Apache NimBLE
Universal components / Libraries / Software for developers

Vendor: Apache Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in HCI events from controller. A local user can use a bogus Bluetooth controller and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache NimBLE: 1.0.0 - 1.7.0

External links
https://lists.apache.org/thread/hh1qtnb7tpgt5v9t5fylcmgb5do0tzt0

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apache NimBLE