CVE-2017-14797 - Vulnerability Details - OpenCVE

Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network.

No CVSS v4.0

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Philips	Hue Bridge Bsb002 Hue Bridge Bsb002 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:philips:hue_bridge_bsb002_firmware:1707040932:*:*:*:*:*:*:*

cpe:2.3:h:philips:hue_bridge_bsb002:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.tiferrei.com/philips-we-need-to-talk

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-09-30T03:00:00.000Z

Updated: 2024-08-05T19:34:39.922Z

Reserved: 2017-09-27T00:00:00.000Z

Link: CVE-2017-14797

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-10-01T01:29:00.723

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-14797

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-09-29T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-20T13:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.tiferrei.com/philips-we-need-to-talk"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-14797", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.tiferrei.com/philips-we-need-to-talk", "refsource": "MISC", "url": "https://www.tiferrei.com/philips-we-need-to-talk"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:34:39.922Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.tiferrei.com/philips-we-need-to-talk"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-14797", "datePublished": "2017-09-30T03:00:00.000Z", "dateReserved": "2017-09-27T00:00:00.000Z", "dateUpdated": "2024-08-05T19:34:39.922Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:philips:hue_bridge_bsb002_firmware:1707040932:*:*:*:*:*:*:*", "matchCriteriaId": "32D4FB5F-8B57-436B-991C-F300A9B09B40", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:philips:hue_bridge_bsb002:-:*:*:*:*:*:*:*", "matchCriteriaId": "1A54ECAB-98FB-4E50-B359-C01FB23FE3FC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network."}, {"lang": "es", "value": "La ausencia de cifrado en la capa de transporte en la API publica en Philips Hue Bridge BSB002 SW 1707040932 permite que los atacantes remotos lean claves de API (y en consecuencia omitir el mecanismo de protecci\u00f3n pushlink y obtener el control completo de los accesorios conectados) mediante la capacidad para rastrear el tr\u00e1fico HTTP en la intranet local."}], "id": "CVE-2017-14797", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-01T01:29:00.723", "references": [{"source": "cve@mitre.org", "url": "https://www.tiferrei.com/philips-we-need-to-talk"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.tiferrei.com/philips-we-need-to-talk"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "nvd@nist.gov", "type": "Primary"}]}