CRITICAL🇵🇱 Wersja polska

CVE-2023-48417

CVSS 9.8v3.1pub. 2023-12-11upd. 2024-11-21

Missing Permission checks resulting in unauthorized access and Manipulation in KeyChainActivity Application

🤖 AI Analysis
How it works

The vulnerability results from missing required permission checks (CWE-862 – Missing Authorization) in the KeyChainActivity application. A remote, unauthenticated attacker can send a specially crafted request to the vulnerable application, bypassing access control mechanisms. As a result, unauthorized reading, modification, or destruction of data handled by KeyChainActivity is possible.

Impact

An attacker can gain unauthorized access to sensitive data managed by the KeyChainActivity application and modify it, threatening the confidentiality, integrity, and availability of the system. The network vector without authentication requirement means the attack can be carried out remotely and without user interaction.

Mitigation & patch

Security patches available from the manufacturer should be applied in accordance with references — Google security bulletin for Chromecast dated 2023-12-01 (https://source.android.com/docs/security/bulletin/chromecast/2023-12-01). It is recommended to update the firmware of Chromecast devices as soon as possible.

Who is affected

Google Chromecast devices with firmware — versions indicated in manufacturer references (Chromecast security bulletin from December 2023).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Google Chromecast

    HW
    Google
    wszystkie wersje
  • Google Chromecast Firmware

    OS
    Google
    < 2023-10-01
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-48426CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność u-boot w Google Chromecast — dostęp do powłoki przez UART

CVE-2023-48424CRITICAL9.8PL ✓ten sam produkt

Privilege escalation poprzez podatność w U-Boot shell na Google Chromecast

CVE-2023-48425CRITICAL9.8PL ✓ten sam produkt

Podatność U-Boot w Google Chromecast umożliwiająca trwałe wykonanie kodu

CVE-2023-6181CRITICAL9.8PL ✓ten sam produkt

RCE w Google Chromecast — trwałe wykonanie kodu przez błąd BCB

CVE-2018-12716MEDIUM4.3ten sam produkt

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding atta...