CVE-2023-4617: Gaining remote control over Govee devices
First published: Thu Dec 19 2024(Updated: )
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in versions before 5.9.
Credit: cvd@cert.pl
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <5.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-4617?
CVE-2023-4617 is considered a high severity vulnerability due to its potential for unauthorized remote control of devices.
How do I fix CVE-2023-4617?
To mitigate CVE-2023-4617, update the Govee Home application to the latest version beyond 5.9.
What type of vulnerability is CVE-2023-4617?
CVE-2023-4617 is an incorrect authorization vulnerability affecting the HTTP POST method.
Which applications are affected by CVE-2023-4617?
CVE-2023-4617 affects the Govee Home application on both Android and iOS platforms.
What can attackers do with CVE-2023-4617?
Attackers can exploit CVE-2023-4617 to control devices belonging to other users by manipulating specific fields in the HTTP POST requests.
- agent/weakness
- agent/references
- agent/title
- agent/description
- agent/first-publish-date
- agent/type
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup