CVE-2019-5634

An inclusion of sensitive information in log files vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Communications to the internet API services and direct connections to the lock via Bluetooth Low Energy (BLE) from the mobile application are logged in a debug log on the Android device at HickorySmartLog/Logs/SRDeviceLog.txt. This information was found stored in the Android device's default USB or SDcard storage paths and is accessible without rooting the device. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions.

CVSS v3 6.5 MEDIUM
CVSS v2.0 2.1 LOW

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Exploitability : 2.0 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/	Third Party Advisory
https://play.google.com/store/apps/details?id=com.belwith.hickorysmart&hl=en_US	Product
https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/	Third Party Advisory
https://play.google.com/store/apps/details?id=com.belwith.hickorysmart&hl=en_US	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:belwith-keeler:hickory_smart:*:*:*:*:*:android:*:*

History

21 Nov 2024, 04:45

Type	Values Removed	Values Added
CVSS	v2 : ~~2.1~~ v3 : ~~4.3~~	v2 : 2.1 v3 : 6.5
References	~~() https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/ - Third Party Advisory~~	() https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/ - Third Party Advisory
References	~~() https://play.google.com/store/apps/details?id=com.belwith.hickorysmart&hl=en_US - Product~~	() https://play.google.com/store/apps/details?id=com.belwith.hickorysmart&hl=en_US - Product

Information

Published : 2019-08-22 14:15

Updated : 2024-11-21 04:45

NVD link : CVE-2019-5634

Mitre link : CVE-2019-5634

CVE.ORG link : CVE-2019-5634

JSON object : View

Products Affected

belwith-keeler

hickory_smart

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2019-5634", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "cve@rapid7.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.7}]}, "published": "2019-08-22T14:15:13.617", "references": [{"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/", "tags": ["Third Party Advisory"], "source": "cve@rapid7.com"}, {"url": "https://play.google.com/store/apps/details?id=com.belwith.hickorysmart&hl=en_US", "tags": ["Product"], "source": "cve@rapid7.com"}, {"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://play.google.com/store/apps/details?id=com.belwith.hickorysmart&hl=en_US", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve@rapid7.com", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "An inclusion of sensitive information in log files vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Communications to the internet API services and direct connections to the lock via Bluetooth Low Energy (BLE) from the mobile application are logged in a debug log on the Android device at HickorySmartLog/Logs/SRDeviceLog.txt. This information was found stored in the Android device's default USB or SDcard storage paths and is accessible without rooting the device. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de almacenamiento no seguro de informaci\u00f3n confidencial est\u00e1 presente en Hickory Smart para dispositivos m\u00f3viles Android de Belwith Products, LLC. Las comunicaciones para los servicios de la API de Internet y las conexiones directas al candado por medio de Bluetooth Low Energy (BLE) desde la aplicaci\u00f3n m\u00f3vil se logearon en un registro de depuraci\u00f3n en el dispositivo Android en el archivo HickorySmartLog/Logs/SRDeviceLog.txt. Esta informaci\u00f3n se encontr\u00f3 almacenada en las rutas de almacenamiento USB o SDcard predeterminadas del dispositivo Android y es accesible sin rootear el dispositivo. Este problema afecta a Hickory Smart para Android, versi\u00f3n 01.01.43 y versiones anteriores."}], "lastModified": "2024-11-21T04:45:16.657", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:belwith-keeler:hickory_smart:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "3F53ECA1-EEE6-4C7C-96E6-E21395C0B55E", "versionEndIncluding": "01.01.43"}], "operator": "OR"}]}], "sourceIdentifier": "cve@rapid7.com"}

6.5 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

2.1 /10

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2019-5634

6.5^/10

2.1^/10

Attach tags to `CVE-2019-5634`