CVE-2024-45038

Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Broker. It's strongly suggested that all users of Meshtastic, particularly those that connect to a privately hosted MQTT server, update to this or a more recent stable version right away. There are no known workarounds for this vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5

Configurations

No configuration.

History

No history.

Information

Published : 2024-08-27 21:15

Updated : 2024-08-28 12:57

NVD link : CVE-2024-45038

Mitre link : CVE-2024-45038

CVE.ORG link : CVE-2024-45038

JSON object : View

Products Affected

No product.

CWE

CWE-755

Improper Handling of Exceptional Conditions

{"id": "CVE-2024-45038", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-08-27T21:15:07.380", "references": [{"url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-755"}]}], "descriptions": [{"lang": "en", "value": "Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Broker. It's strongly suggested that all users of Meshtastic, particularly those that connect to a privately hosted MQTT server, update to this or a more recent stable version right away. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "El firmware del dispositivo Meshtastic es un firmware para que los dispositivos meshtastic ejecuten una red de malla de c\u00f3digo abierto, fuera de la red, descentralizada y dise\u00f1ada para funcionar en dispositivos asequibles y de bajo consumo. El firmware del dispositivo Meshtastic est\u00e1 sujeto a una vulnerabilidad de denegaci\u00f3n de servicio en el manejo de MQTT, corregida en la versi\u00f3n 2.4.1 del firmware Meshtastic y en el Broker MQTT p\u00fablico Meshtastic. Se recomienda encarecidamente que todos los usuarios de Meshtastic, especialmente aquellos que se conectan a un servidor MQTT alojado de forma privada, actualicen a esta o a una versi\u00f3n estable m\u00e1s reciente de inmediato. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-08-28T12:57:39.090", "sourceIdentifier": "security-advisories@github.com"}