Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Meshtastic allows crafting of specific NodeInfo packets that overwrite any publicKey saved in the NodeDB
Vulnerability Description
Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
认证机制不恰当
Vulnerability Title
Meshtastic 授权问题漏洞
Vulnerability Description
Meshtastic是Meshtastic开源的一种去中心化无线离网网状网络 LoRa 协议。 Meshtastic 2.6.3之前版本存在授权问题漏洞,该漏洞源于绕过公钥验证,可能导致密钥被恶意覆盖。
CVSS Information
N/A
Vulnerability Type
N/A