Full Report
Incorrect Authorization vulnerability (CVE-2023-4617) has been found in Govee Home mobile application on Android and iOS.
Analysis Summary
# Vulnerability: Incorrect Authorization in Govee Home Mobile Application
## CVE Details
- CVE ID: CVE-2023-4617
- CVSS Score: Not specified in snippet (Requires external lookup, assumed to be Medium/High based on impact)
- CWE: CWE-863 (Incorrect Authorization)
## Affected Systems
- Products: Govee Home mobile application
- Versions: All versions before 5.9
- Configurations: Affects both Android and iOS platforms.
## Vulnerability Description
An Incorrect Authorization vulnerability exists within the HTTP POST method utilized by the Govee Home application. This flaw allows a remote attacker to gain unauthorized control over devices (`device`, `sku`, and `type` fields) belonging to other users by manipulating the values sent in these fields during requests.
## Exploitation
- Status: Not explicitly stated, but details provided suggest functional exploitability.
- Complexity: Likely Low, given it involves manipulating HTTP request fields.
- Attack Vector: Network (Remote access to the backend API endpoint)
## Impact
- Confidentiality: Potential unauthorized access to device states/data (Not explicitly detailed, inferred from control).
- Integrity: High potential for unauthorized modification of device settings or state control.
- Availability: Potential for disruption of device functionality/control.
## Remediation
### Patches
- Version 5.9 and later contain the fix. Users should update to **version 5.9** or newer.
### Workarounds
- No temporary workarounds were specified in the provided context.
## Detection
- Indicators of Compromise: Monitoring for unusual API calls against the Govee backend that attempt to modify device ownership or control parameters (`device`, `sku`, `type`) originating from unauthorized sessions.
- Detection methods and tools: Application Traffic Analysis (ATA) looking for abnormal POST requests targeting device management functions.
## References
- Vendor advisories: Govee (Implicitly, via coordination efforts)
- Relevant links - defanged:
- hxxps://www.cve.org/CVERecord?id=CVE-2023-4617
- hxxps://cert.pl/en/cvd/