CVE-2023-45866 — MEDIUM (6.3)

Q: How severe is CVE-2023-45866?

CVE-2023-45866 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-45866?

Check the references section above for vendor advisories and patch information. Affected products include: Google Android, Bluproducts Dash, Google Nexus 5, Google Pixel 2, Google Pixel 4A.

Vulnerability Description

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

CVSS Score

6.3

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Google	Android	4.2.2
Bluproducts	Dash	3.5
Google	Nexus 5	-
Google	Pixel 2	-
Google	Pixel 4A	-
Google	Pixel 6	-
Google	Pixel 7	-
Canonical	Ubuntu Linux	18.04
Apple	Iphone Os	16.6
Apple	Iphone Se	-
Apple	Macos	12.6.7
Apple	Macbook Air	2017
Apple	Macbook Pro	m2
Fedoraproject	Fedora	38
Apple	Ipados	< 17.2
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-287

References

http://changelogs.ubuntu.com/changelogs/pool/main/b/bluez/bluez_5.64-0ubuntu1/chRelease Notes
http://seclists.org/fulldisclosure/2023/Dec/7Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2023/Dec/9Mailing ListThird Party Advisory
https://bluetooth.comNot Applicable
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a4Mailing ListPatch
https://github.com/skysafe/reblog/tree/main/cve-2023-45866Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00011.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://security.gentoo.org/glsa/202401-03
https://support.apple.com/kb/HT214035Third Party Advisory
https://support.apple.com/kb/HT214036Third Party Advisory
https://www.debian.org/security/2023/dsa-5584
http://changelogs.ubuntu.com/changelogs/pool/main/b/bluez/bluez_5.64-0ubuntu1/chRelease Notes
http://seclists.org/fulldisclosure/2023/Dec/7Mailing ListThird Party Advisory

FAQ

What is CVE-2023-45866?

CVE-2023-45866 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injecti...

How severe is CVE-2023-45866?

CVE-2023-45866 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-45866?

Check the references section above for vendor advisories and patch information. Affected products include: Google Android, Bluproducts Dash, Google Nexus 5, Google Pixel 2, Google Pixel 4A.