Vulnerability Description
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Coolkit | Ewelink | <= 4.9.1 |
Related Weaknesses (CWE)
References
- https://apps.apple.com/us/app/ewelink-smart-home/id1035163158ProductThird Party Advisory
- https://github.com/salgio/eWeLink-QR-CodeThird Party Advisory
- https://play.google.com/store/apps/details?id=com.coolkit&hl=en_USProductThird Party Advisory
- https://apps.apple.com/us/app/ewelink-smart-home/id1035163158ProductThird Party Advisory
- https://github.com/salgio/eWeLink-QR-CodeThird Party Advisory
- https://play.google.com/store/apps/details?id=com.coolkit&hl=en_USProductThird Party Advisory
FAQ
What is CVE-2021-27941?
CVE-2021-27941 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically pr...
How severe is CVE-2021-27941?
CVE-2021-27941 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-27941?
Check the references section above for vendor advisories and patch information. Affected products include: Coolkit Ewelink.