Vulnerability in Espressif Esp-idf
CVE-2024-53845
ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6…
Vulnerability class: POODLE (CVE-2014-3566)
EPSS: 0.003 (49.7th percentile) — read the EPSS interpretation.
Affected products
- Espressif Esp-idf — versions >= 5.3.0, < 5.3.2, >= 5.2.0, < 5.2.4, >= 5.1.0, < 5.1.6
Weakness classification (CWE)
References
- https://github.com/espressif/esp-idf/security/advisories/GHSA-wm57-466g-mhrr (x_refsource_CONFIRM)
- https://github.com/espressif/esp-idf/commit/4f85a2726e04b737c8646d865b44ddd837b703db (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/8fb28dcedcc49916a5206456a3a61022d4302cd8 (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/d47ed7d6f814e21c5bc8997ab0bc68e2360e5cb2 (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/de69895f38d563e22228f5ba23fffa02feabc3a9 (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/fd224e83bbf133833638b277c767be7f7cdd97c7 (x_refsource_MISC)
- https://github.com/EspressifApp/EsptouchForAndroid/tree/master/esptouch-v2 (x_refsource_MISC)
- https://github.com/EspressifApp/EsptouchForIOS/tree/master/EspTouchDemo/ESPTouchV2 (x_refsource_MISC)
- https://github.com/espressif/esp-idf/tree/master/components/esp_wifi (x_refsource_MISC)