CVE-2023-23299
First published: Tue May 23 2023(Updated: )
The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ modules, call their functions and disclose sensitive data such as user profile information and GPS coordinates, among others.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Garmin Connect IQ | >=1.0.0<=4.1.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-23299?
CVE-2023-23299 is considered a high-severity vulnerability due to its ability to allow unauthorized access to sensitive data.
How do I fix CVE-2023-23299?
To fix CVE-2023-23299, update your Garmin Connect IQ applications to versions beyond 4.1.7.
What type of vulnerability is CVE-2023-23299?
CVE-2023-23299 is a bypass vulnerability affecting the permission system in the GarminOS TVM component.
Who is affected by CVE-2023-23299?
All applications developed using Garmin Connect IQ API versions 1.0.0 through 4.1.7 are affected by CVE-2023-23299.
What can an attacker do with CVE-2023-23299?
An attacker can exploit CVE-2023-23299 to access restricted CIQ modules and potentially disclose sensitive data.
- agent/references
- agent/type
- agent/severity
- agent/first-publish-date
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/garmin
- canonical/garmin connect iq
- version/garmin connect iq/1.0.0
- version/garmin connect iq/4.1.7