CVE-2024-44097

According to the researcher: "The TLS connections are encrypted against tampering or eavesdropping. However, the application does not validate the server certificate properly while initializing the TLS connection. This allows for a network attacker to intercept the connection and read the data. The attacker could the either send the client a malicious response, or forward the (possibly modified) data to the real server."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Google_DevicesCNA
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
googlenest_doorbell_\(battery\)_firmware
𝑥
< 1.73c
googlenest_cam_\(outdoor_or_indoor\,_battery\)_firmware
𝑥
< 1.73c
googlenest_cam_with_floodlight_firmware
𝑥
< 1.73c
googlenest_cam_\(indoor\,_wired\)_firmware
𝑥
< 1.73c
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://support.google.com/product-documentation/answer/14950962?sjid=9489879942601373169-NA