Remote Access Vulnerability in Govee Home Application
CVE-2023-4617

10CRITICAL

Key Information:

Vendor

Govee

Status
Govee Home
Vendor
CVE Published:
19 December 2024

What is CVE-2023-4617?

CVE-2023-4617 is a significant security vulnerability present in the Govee Home application for both Android and iOS platforms. This flaw stems from an incorrect authorization process in the HTTP POST method, which allows remote attackers to gain unauthorized control over devices of other users. By manipulating the 'device,' 'sku,' and 'type' fields, malicious actors can remotely access and control smart devices registered to different users. This vulnerability affects all versions of the Govee Home app prior to version 5.9, posing a serious risk to user privacy and device security.

Affected Version(s)

Govee Home Android 0 < 5.9

Govee Home iOS 0 < 5.9

References

https://cert.pl/en/posts/2024/12/CVE-2023-4617/
third-party-advisory
https://cert.pl/posts/2024/12/CVE-2023-4617/
third-party-advisory
https://play.google.com/store/apps/details?id=com.govee.home
product

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jan Adamski (NASK-PIB)
Marek Janiszewski (NASK-PIB)
JSON
.