1. Home
  2. CVE Database
  3. CVE-2018-17178
MEDIUM · 5.3

CVE-2018-17178

An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Comman...

Vulnerability Description

An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
NeatoroboticsBotvac D4 Connected Firmware2.2.0
NeatoroboticsBotvac D4 Connected-
NeatoroboticsBotvac D6 Connected Firmware2.2.0
NeatoroboticsBotvac D6 Connected-
NeatoroboticsBotvac D5 Connected Firmware2.2.0
NeatoroboticsBotvac D5 Connected-
NeatoroboticsBotvac D7 Connected Firmware2.2.0
NeatoroboticsBotvac D7 Connected-
NeatoroboticsBotvac D3 Connected Firmware2.2.0
NeatoroboticsBotvac D3 Connected-

References

FAQ

What is CVE-2018-17178?

CVE-2018-17178 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Comman...

How severe is CVE-2018-17178?

CVE-2018-17178 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-17178?

Check the references section above for vendor advisories and patch information. Affected products include: Neatorobotics Botvac D4 Connected Firmware, Neatorobotics Botvac D4 Connected, Neatorobotics Botvac D6 Connected Firmware, Neatorobotics Botvac D6 Connected, Neatorobotics Botvac D5 Connected Firmware.