Information Disclosure Vulnerability in Sonos One Speaker
CVE-2023-27353

6.5MEDIUM

Key Information:

Vendor: Sonos
Status: One Speaker
Vendor: CVE Published:; 20 April 2023

What is CVE-2023-27353?

This vulnerability in the Sonos One Speaker enables network-adjacent attackers to access sensitive information without authentication. It stems from a flaw in the msprox endpoint, where user-supplied data is not properly validated. This oversight allows unauthorized users to exploit the weakness, potentially leading to reading beyond allocated buffer limits. Attackers can exploit this vulnerability alongside other security issues to execute arbitrary code with root-level privileges, jeopardizing the integrity of the system.

Affected Version(s)

One Speaker 70.3-35220

References

https://www.zerodayinitiative.com/advisories/ZDI-23-448/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 20, 2023
Vulnerability Reserved
Feb 28, 2023

Credit

Phan Thanh Duy (@PTDuy) & Nguyen Hoang Thach (@hi_im_d4rkn3ss) of STAR Labs SG Pte. Ltd.