CVE-2023-23299
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
23/05/2023
Last modified:
21/01/2025
Description
The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ modules, call their functions and disclose sensitive data such as user profile information and GPS coordinates, among others.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:garmin:connect-iq:*:*:*:*:*:*:*:* | 1.0.0 (including) | 4.1.7 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://developer.garmin.com/connect-iq/core-topics/manifest-and-permissions/
- https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23299.md
- https://developer.garmin.com/connect-iq/core-topics/manifest-and-permissions/
- https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23299.md