Details of VAR-202102-0089

ID

VAR-202102-0089

CVE

CVE-2020-12702

TITLE

eWeLink Vulnerability in using cryptographic algorithms in mobile applications

Trust: 0.8

sources: JVNDB: JVNDB-2020-016233

DESCRIPTION

Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process. eWeLink Mobile applications contain vulnerabilities in the use of cryptographic algorithms.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2020-12702 // JVNDB: JVNDB-2020-016233 // VULMON: CVE-2020-12702

AFFECTED PRODUCTS

vendor:	coolkit	model:	ewelink	scope:	lte	version:	4.9.2	Trust: 1.0
vendor:	coolkit	model:	ewelink	scope:	lte	version:	4.9.1	Trust: 1.0
vendor:	coolkit	model:	ewelink	scope:	lte	version:	4.9.1 and earlier (ios)	Trust: 0.8
vendor:	coolkit	model:	ewelink	scope:	eq	version:	-	Trust: 0.8
vendor:	coolkit	model:	ewelink	scope:	lte	version:	4.9.2 and earlier (android)	Trust: 0.8

sources: JVNDB: JVNDB-2020-016233 // NVD: CVE-2020-12702

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-12702
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-12702
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202102-1578
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2020-12702
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2020-12702
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2020-12702
baseSeverity:	MEDIUM
baseScore:	4.6
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2020-12702
baseSeverity:	MEDIUM
baseScore:	4.6
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2020-12702 // JVNDB: JVNDB-2020-016233 // CNNVD: CNNVD-202102-1578 // NVD: CVE-2020-12702

PROBLEMTYPE DATA

problemtype:	CWE-327	Trust: 1.0
problemtype:	Use of incomplete or dangerous cryptographic algorithms (CWE-327) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-016233 // NVD: CVE-2020-12702

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-1578

PATCH

title:	eWeLink - Smart Home	url:	https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US	Trust: 0.8
title:	eWeLink mobile application Fixes for encryption problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=143434	Trust: 0.6
title:	ESPTouchCatcher	url:	https://github.com/salgio/ESPTouchCatcher	Trust: 0.1
title:	PoC	url:	https://github.com/Jonathan-Elias/PoC	Trust: 0.1
title:	PoC-in-GitHub	url:	https://github.com/developer3000S/PoC-in-GitHub	Trust: 0.1

sources: VULMON: CVE-2020-12702 // JVNDB: JVNDB-2020-016233 // CNNVD: CNNVD-202102-1578

EXTERNAL IDS

db:	NVD	id:	CVE-2020-12702	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-016233	Trust: 0.8
db:	CNNVD	id:	CNNVD-202102-1578	Trust: 0.6
db:	VULMON	id:	CVE-2020-12702	Trust: 0.1

sources: VULMON: CVE-2020-12702 // JVNDB: JVNDB-2020-016233 // CNNVD: CNNVD-202102-1578 // NVD: CVE-2020-12702

REFERENCES

url:	https://github.com/salgio/esptouchcatcher	Trust: 2.6
url:	https://dl.acm.org/doi/abs/10.1145/3411498.3419965	Trust: 1.7
url:	https://www.youtube.com/watch?v=dghyh7wy6ie&feature=youtu.be	Trust: 1.7
url:	https://play.google.com/store/apps/details?id=com.coolkit&hl=en_us	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12702	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/327.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2020-12702 // JVNDB: JVNDB-2020-016233 // CNNVD: CNNVD-202102-1578 // NVD: CVE-2020-12702

SOURCES

db:	VULMON	id:	CVE-2020-12702
db:	JVNDB	id:	JVNDB-2020-016233
db:	CNNVD	id:	CNNVD-202102-1578
db:	NVD	id:	CVE-2020-12702

LAST UPDATE DATE

2024-11-23T22:37:05.531000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2020-12702	date:	2021-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-016233	date:	2021-11-16T07:10:00
db:	CNNVD	id:	CNNVD-202102-1578	date:	2021-03-04T00:00:00
db:	NVD	id:	CVE-2020-12702	date:	2024-11-21T05:00:06.477

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2020-12702	date:	2021-02-24T00:00:00
db:	JVNDB	id:	JVNDB-2020-016233	date:	2021-11-16T00:00:00
db:	CNNVD	id:	CNNVD-202102-1578	date:	2021-02-24T00:00:00
db:	NVD	id:	CVE-2020-12702	date:	2021-02-24T14:15:13.150