CVE-2017-14797 — HIGH (7.5)

Vulnerability Description

Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Philips	Hue Bridge Bsb002 Firmware	1707040932
Philips	Hue Bridge Bsb002	-

Related Weaknesses (CWE)

CWE-326

References

FAQ

What is CVE-2017-14797?

CVE-2017-14797 is a vulnerability with a CVSS score of 7.5 (HIGH). Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtai...

How severe is CVE-2017-14797?

CVE-2017-14797 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-14797?

Check the references section above for vendor advisories and patch information. Affected products include: Philips Hue Bridge Bsb002 Firmware, Philips Hue Bridge Bsb002.