CVE-2017-5239 - OpenCVE

Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Eviewgps	Ev-07s Gps Tracker Ev-07s Gps Tracker Firmware

Configuration 1 [-]

AND

cpe:2.3:o:eviewgps:ev-07s_gps_tracker_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:eviewgps:ev-07s_gps_tracker:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/97194
https://community.rapid7.com/community/infosec/blog/2017/03/27/r7-2015-28-multiple-eview-ev-07s-gps-tracker-vulnerabilities	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: rapid7

Published: 2017-03-27T21:00:00

Updated: 2017-03-30T09:57:01

Reserved: 2017-01-09T00:00:00

Link: CVE-2017-5239

JSON object: View

NVD Information

Status : Modified

Published: 2017-03-27T21:59:00.237

Modified: 2017-03-31T01:59:01.143

Link: CVE-2017-5239

JSON object: View

Redhat Information

No data.

CWE

CWE-326

{"containers": {"cna": {"affected": [{"product": "EV-07S GPS Tracker", "vendor": "Eview", "versions": [{"status": "affected", "version": "All"}]}], "datePublic": "2017-03-27T00:00:00", "descriptions": [{"lang": "en", "value": "Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener."}], "problemTypes": [{"descriptions": [{"description": "Sensitive information transmitted in cleartext", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-30T09:57:01", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://community.rapid7.com/community/infosec/blog/2017/03/27/r7-2015-28-multiple-eview-ev-07s-gps-tracker-vulnerabilities"}, {"name": "97194", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97194"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "ID": "CVE-2017-5239", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EV-07S GPS Tracker", "version": {"version_data": [{"version_value": "All"}]}}]}, "vendor_name": "Eview"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Sensitive information transmitted in cleartext"}]}]}, "references": {"reference_data": [{"name": "https://community.rapid7.com/community/infosec/blog/2017/03/27/r7-2015-28-multiple-eview-ev-07s-gps-tracker-vulnerabilities", "refsource": "MISC", "url": "https://community.rapid7.com/community/infosec/blog/2017/03/27/r7-2015-28-multiple-eview-ev-07s-gps-tracker-vulnerabilities"}, {"name": "97194", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97194"}]}}}}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2017-5239", "datePublished": "2017-03-27T21:00:00", "dateReserved": "2017-01-09T00:00:00", "dateUpdated": "2017-03-30T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:eviewgps:ev-07s_gps_tracker_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8D1D3D8-BE34-48FA-90DF-42F018935B8B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:eviewgps:ev-07s_gps_tracker:-:*:*:*:*:*:*:*", "matchCriteriaId": "3C745D1E-0AFF-4778-9D4E-C77A6C91AC43", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener."}, {"lang": "es", "value": "Debido a la falta de cifrado est\u00e1ndar cuando trasmiten informaci\u00f3n sensible a trav\u00e9s de internet a un servicio de monitorizaci\u00f3n centralizado, el Eview EV-07S GPS Tracker revela infomraci\u00f3n de identificaci\u00f3n personal, tal como datos GPS y n\u00fameros de IMEI, a cualquier oyente man-in-the-middle (MitM)."}], "id": "CVE-2017-5239", "lastModified": "2017-03-31T01:59:01.143", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-27T21:59:00.237", "references": [{"source": "cve@rapid7.com", "url": "http://www.securityfocus.com/bid/97194"}, {"source": "cve@rapid7.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://community.rapid7.com/community/infosec/blog/2017/03/27/r7-2015-28-multiple-eview-ev-07s-gps-tracker-vulnerabilities"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "nvd@nist.gov", "type": "Primary"}]}