CVE-2024-47079

07.10.2024, 20:15

Meshtastic is an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic firmware is an open source firmware implementation for the broader project. The remote hardware module of the firmware does not have proper checks to ensure a remote hardware control message was received should be considered valid. This issue has been addressed in release version 2.5.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.4 MEDIUM	ADJACENT_NETWORK	HIGH	NONE	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
GitHub_M	CNA	6.4 MEDIUM	ADJACENT_NETWORK	HIGH	NONE	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Ubuntu Releases

Ubuntu Product

Codename

meshtastic

plucky	needs-triage
oracular	needs-triage
noble	dne
jammy	dne
focal	dne

Common Weakness Enumeration

CWE-345 - Insufficient Verification of Data Authenticity
The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References

https://github.com/meshtastic/firmware/security/advisories/GHSA-h8mh-p4r3-4jv7