Sign-up

ID

VAR-201908-0589


CVE

CVE-2019-13143


TITLE

Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 Vulnerabilities related to security functions

Trust: 0.8

sources: JVNDB: JVNDB-2019-007609

DESCRIPTION

An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. With the user ID, user name, and the lock's MAC address, anyone can unbind the existing owner of the lock, and bind themselves instead. This leads to complete takeover of the lock. The user ID, name, and MAC address are trivially obtained from APIs found within the Android or iOS application. With only the MAC address of the lock, any attacker can transfer ownership of the lock from the current user, over to the attacker's account. Thus rendering the lock completely inaccessible to the current user

Trust: 1.8

sources: NVD: CVE-2019-13143 // JVNDB: JVNDB-2019-007609 // VULHUB: VHN-144960 // VULMON: CVE-2019-13143

IOT TAXONOMY

category:['home & office device']sub_category:smart lock

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:dragon brothersmodel:fb50scope:eqversion:2.3

Trust: 1.9

sources: VULMON: CVE-2019-13143 // JVNDB: JVNDB-2019-007609 // NVD: CVE-2019-13143

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-13143
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-13143
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201908-423
value: CRITICAL

Trust: 0.6

VULHUB: VHN-144960
value: HIGH

Trust: 0.1

VULMON: CVE-2019-13143
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-13143
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-144960
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-13143
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-144960 // VULMON: CVE-2019-13143 // JVNDB: JVNDB-2019-007609 // CNNVD: CNNVD-201908-423 // NVD: CVE-2019-13143

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.1

problemtype:CWE-254

Trust: 0.9

sources: VULHUB: VHN-144960 // JVNDB: JVNDB-2019-007609 // NVD: CVE-2019-13143

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-423

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201908-423

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-007609

PATCH
title:pwnfb50url:https://github.com/icyphox/pwnfb50 
Trust: 0.1
title:pwnfb50url:https://github.com/securelayer7/pwnfb50 
Trust: 0.1
title:ownklokurl:https://github.com/fierceoj/ownklok 
Trust: 0.1
title:PoC-in-GitHuburl:https://github.com/nomi-sec/PoC-in-GitHub 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-13143

EXTERNAL IDS
db:NVDid:CVE-2019-13143
Trust: 2.7
db:JVNDBid:JVNDB-2019-007609
Trust: 0.8
db:CNNVDid:CNNVD-201908-423
Trust: 0.7
db:OTHERid:NONE
Trust: 0.1
db:VULHUBid:VHN-144960
Trust: 0.1
db:VULMONid:CVE-2019-13143
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            VULHUB: VHN-144960 // 
            
            
            
            VULMON: CVE-2019-13143 // 
            
            
            
            JVNDB: JVNDB-2019-007609 // 
            
            
            
            CNNVD: CNNVD-201908-423 // 
            
            
            
            NVD: CVE-2019-13143

REFERENCES
url:http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure/
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-13143
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13143
Trust: 0.8
url:https://backdropcms.org/security/backdrop-sa-core-2019-012
Trust: 0.8
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
url:https://cwe.mitre.org/data/definitions/254.html
Trust: 0.1
url:https://github.com/icyphox/pwnfb50
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            VULHUB: VHN-144960 // 
            
            
            
            VULMON: CVE-2019-13143 // 
            
            
            
            JVNDB: JVNDB-2019-007609 // 
            
            
            
            CNNVD: CNNVD-201908-423 // 
            
            
            
            NVD: CVE-2019-13143

SOURCES
db:OTHERid: - 
db:VULHUBid:VHN-144960
db:VULMONid:CVE-2019-13143
db:JVNDBid:JVNDB-2019-007609
db:CNNVDid:CNNVD-201908-423
db:NVDid:CVE-2019-13143

LAST UPDATE DATE
2025-01-30T22:30:29.823000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144960date:2020-08-24T00:00:00
db:VULMONid:CVE-2019-13143date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-007609date:2019-08-15T00:00:00
db:CNNVDid:CNNVD-201908-423date:2020-10-28T00:00:00
db:NVDid:CVE-2019-13143date:2024-11-21T04:24:17.070

SOURCES RELEASE DATE
db:VULHUBid:VHN-144960date:2019-08-06T00:00:00
db:VULMONid:CVE-2019-13143date:2019-08-06T00:00:00
db:JVNDBid:JVNDB-2019-007609date:2019-08-15T00:00:00
db:CNNVDid:CNNVD-201908-423date:2019-08-06T00:00:00
db:NVDid:CVE-2019-13143date:2019-08-06T18:15:11.267