CVE-2019-13143
Last modified
CVE-2019-13143 is a vulnerability of currently unknown severity. An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. With the user ID, user name, and the lock's MAC address, anyone can unbind the existing owner of the lock, and bind themselves instead. EPSS estimates a 3.06% chance of exploitation in the next 30 days.
Description
An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. With the user ID, user name, and the lock's MAC address, anyone can unbind the existing owner of the lock, and bind themselves instead. This leads to complete takeover of the lock. The user ID, name, and MAC address are trivially obtained from APIs found within the Android or iOS application. With only the MAC address of the lock, any attacker can transfer ownership of the lock from the current user, over to the attacker's account. Thus rendering the lock completely inaccessible to the current user.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Shenzhen Dragon Brothers | Fb50 Firmware | 2.3 |
References
- http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure/Exploit, Third Party Advisory
- http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure/Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-13143?
How severe is CVE-2019-13143?
How do I fix CVE-2019-13143?
Are you affected by CVE-2019-13143?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST