#VU70711 Insufficient Session Expiration in Garmin Connect - CVE-2022-46081

Cybersecurity Help s.r.o.

Published: 2023-01-05

Vulnerability identifier: #VU70711

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-46081

CWE-ID: CWE-613

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Garmin Connect
Mobile applications / Apps for mobile phones

Vendor: Garmin

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient session expiration issue in the LiveTrack API. A remote non-authenticated attacker can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Garmin Connect: 4.61

External links
https://www.samwallace.dev/research/Harvesting%20Emails%20with%20Expired%20Garmin%20LiveTrack%20Sessions

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information dislosure in Garmin Connect