CVE-2024-47078

Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via bluetooth). Prior to version 2.5.1, multiple weaknesses in the MQTT implementation allow for authentication and authorization bypasses resulting in unauthorized control of MQTT-connected nodes. Version 2.5.1 contains a patch.
Configurations

Configuration 1 (hide)

cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*

History

02 Dec 2024, 18:31

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 8.1
CPE cpe:2.3:a:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*

01 Oct 2024, 18:29

Type Values Removed Values Added
References () https://github.com/meshtastic/firmware/security/advisories/GHSA-vqcq-wjwx-7252 - () https://github.com/meshtastic/firmware/security/advisories/GHSA-vqcq-wjwx-7252 - Third Party Advisory
First Time Meshtastic
Meshtastic meshtastic Firmware
CVSS v2 : unknown
v3 : 8.1
v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*

26 Sep 2024, 13:32

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-25 16:15

Updated : 2024-12-02 18:31


NVD link : CVE-2024-47078

Mitre link : CVE-2024-47078

CVE.ORG link : CVE-2024-47078


JSON object : View

Products Affected

meshtastic

  • meshtastic_firmware
CWE
CWE-287

Improper Authentication

CWE-863

Incorrect Authorization