CVE-2017-5250 - OpenCVE

In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Insteon	Insteon For Hub

Configuration 1 [-]

cpe:2.3:a:insteon:insteon_for_hub:*:*:*:*:*:android:*:*

References

Link	Resource
https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: rapid7

Published: 2018-02-22T16:00:00

Updated: 2018-02-22T15:57:01

Reserved: 2017-01-09T00:00:00

Link: CVE-2017-5250

JSON object: View

NVD Information

Status : Modified

Published: 2018-02-22T16:29:00.310

Modified: 2019-10-09T23:28:15.620

Link: CVE-2017-5250

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:insteon:insteon_for_hub:*:*:*:*:*:android:*:*", "matchCriteriaId": "E5997BAB-1F22-490C-9367-5EE49BBF1DBD", "versionEndIncluding": "1.9.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner."}, {"lang": "es", "value": "En la versi\u00f3n 1.9.7 y anteriores de la aplicaci\u00f3n para Android Insteon for Hub de Insteon, el token OAuth empleado por la app para autorizar el acceso de los usuarios no se almacena de forma cifrada y segura."}], "id": "CVE-2017-5250", "lastModified": "2019-10-09T23:28:15.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-22T16:29:00.310", "references": [{"source": "cve@rapid7.com", "tags": ["Third Party Advisory"], "url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-922"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-922"}], "source": "cve@rapid7.com", "type": "Secondary"}]}