MEDIUM🇵🇱 Wersja polska

CVE-2024-47121

CVSS 6.0v4.0pub. 2024-09-26upd. 2024-11-01

The goTenna Pro App uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is recommended to use local QR encryption key sharing for additional security on this and previous versions.

CVSS Vector
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Gotenna Pro

    APP
    Gotenna
    < 2.0.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-47130HIGH8.7ten sam produkt

The goTenna Pro App allows unauthenticated attackers to remotely update the local public keys used for P2P an...

CVE-2024-47125HIGH7.6ten sam produkt

The goTenna Pro App does not authenticate public keys which allows an unauthenticated attacker to manipulate ...

CVE-2024-47126HIGH7.1ten sam produkt

The goTenna Pro App does not use SecureRandom when generating passwords for sharing cryptographic keys. The r...

CVE-2024-47129MEDIUM5.3ten sam produkt

The goTenna Pro App does not inject extra characters into broadcasted frames to obfuscate the length of messa...

CVE-2024-47122MEDIUM5.1ten sam produkt

In the goTenna Pro App, the encryption keys are stored along with a static IV on the End User Device (EUD). T...