Details of VAR-202104-0016

ID

VAR-202104-0016

CVE

CVE-2020-11922

TITLE

WiZ Connected WiZ Colors A60 Information Disclosure Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-29834 // CNNVD: CNNVD-202104-098

DESCRIPTION

An issue was discovered in WiZ Colors A60 1.14.0. The device sends unnecessary information to the cloud controller server. Although this information is sent encrypted and has low risk in isolation, it decreases the privacy of the end user. The information sent includes the local IP address being used and the SSID of the Wi-Fi network the device is connected to. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.). No detailed vulnerability details are currently provided. The Lightbulb by default transmits privacy sensitive info to the cloud system. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Wouter Wessels, Jim Blankendaal, Jasper Nota from Qbit in assignment of the Consumentenbond. Use CVE-2020-11922

Trust: 2.34

sources: NVD: CVE-2020-11922 // JVNDB: JVNDB-2020-016466 // CNVD: CNVD-2021-29834 // VULMON: CVE-2020-11922 // PACKETSTORM: 179801

IOT TAXONOMY

category:	['IoT']	sub_category:	-	Trust: 0.6
category:	['home & office device']	sub_category:	bulb	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2021-29834

AFFECTED PRODUCTS

vendor:	wizconnected	model:	a60 colors	scope:	eq	version:	1.14.0	Trust: 1.0
vendor:	wiz connected lighting	model:	colors a60	scope:	eq	version:	-	Trust: 0.8
vendor:	wiz connected lighting	model:	colors a60	scope:	eq	version:	wiz colors a60 firmware 1.14.0	Trust: 0.8
vendor:	wiz	model:	connected wiz colors a60	scope:	eq	version:	1.14.0	Trust: 0.6

sources: CNVD: CNVD-2021-29834 // JVNDB: JVNDB-2020-016466 // NVD: CVE-2020-11922

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-11922
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-11922
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-29834
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202104-098
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2020-11922
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2020-11922
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-29834
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-11922
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2020-11922
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-29834 // VULMON: CVE-2020-11922 // JVNDB: JVNDB-2020-016466 // CNNVD: CNNVD-202104-098 // NVD: CVE-2020-11922

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.0
problemtype:	information leak (CWE-200) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-016466 // NVD: CVE-2020-11922

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202104-098

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202104-098

PATCH

title:	Smart lighting for your daily living	url:	https://www.wizconnected.com/en/consumer/	Trust: 0.8
title:	Patch for WiZ Connected WiZ Colors A60 Information Disclosure Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/259941	Trust: 0.6
title:	WiZ Connected WiZ Colors A60 Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=147290	Trust: 0.6

sources: CNVD: CNVD-2021-29834 // JVNDB: JVNDB-2020-016466 // CNNVD: CNNVD-202104-098

EXTERNAL IDS

db:	NVD	id:	CVE-2020-11922	Trust: 4.2
db:	JVNDB	id:	JVNDB-2020-016466	Trust: 0.8
db:	CNVD	id:	CNVD-2021-29834	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-098	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.2
db:	VULMON	id:	CVE-2020-11922	Trust: 0.1
db:	PACKETSTORM	id:	179801	Trust: 0.1

sources: OTHER: None // OTHER: None // CNVD: CNVD-2021-29834 // VULMON: CVE-2020-11922 // JVNDB: JVNDB-2020-016466 // PACKETSTORM: 179801 // CNNVD: CNNVD-202104-098 // NVD: CVE-2020-11922

REFERENCES

url:	https://www.eurofins-cybersecurity.com/news/connected-devices-wiz-smart-lightbulbs/	Trust: 3.1
url:	https://cwe.mitre.org/data/definitions/201.html	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11922	Trust: 1.5
url:	http://seclists.org/fulldisclosure/2024/jul/14	Trust: 1.0
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2021-29834 // VULMON: CVE-2020-11922 // JVNDB: JVNDB-2020-016466 // PACKETSTORM: 179801 // CNNVD: CNNVD-202104-098 // NVD: CVE-2020-11922

CREDITS

Willem Westerhof | Secura

Trust: 0.1

sources: OTHER: None

SOURCES

db:	OTHER	id:	-
db:	OTHER	id:	-
db:	CNVD	id:	CNVD-2021-29834
db:	VULMON	id:	CVE-2020-11922
db:	JVNDB	id:	JVNDB-2020-016466
db:	PACKETSTORM	id:	179801
db:	CNNVD	id:	CNNVD-202104-098
db:	NVD	id:	CVE-2020-11922

LAST UPDATE DATE

2025-01-30T21:41:40.207000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-29834	date:	2021-04-21T00:00:00
db:	VULMON	id:	CVE-2020-11922	date:	2021-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2020-016466	date:	2021-12-09T08:01:00
db:	CNNVD	id:	CNNVD-202104-098	date:	2022-07-11T00:00:00
db:	NVD	id:	CVE-2020-11922	date:	2024-11-21T04:58:54.733

SOURCES RELEASE DATE

db:	OTHER	id:	-	date:	2024-07-26T13:11:06
db:	CNVD	id:	CNVD-2021-29834	date:	2021-04-21T00:00:00
db:	VULMON	id:	CVE-2020-11922	date:	2021-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2020-016466	date:	2021-12-09T00:00:00
db:	PACKETSTORM	id:	179801	date:	2024-07-30T12:35:43
db:	CNNVD	id:	CNNVD-202104-098	date:	2021-04-02T00:00:00
db:	NVD	id:	CVE-2020-11922	date:	2021-04-02T16:15:13.507