CVE-2023-45866

Published: Dec 8, 2023Modified: Nov 4, 2025

6.3

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability: 2.8 / Impact: 3.4

Source: NVD

Description

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

Affected (19)

Products: Google: Android · Canonical: Ubuntu Linux · Apple: Iphone Os, Macos, Ipados · +2 more

Show all products

Google: Android · Canonical: Ubuntu Linux · Apple: Iphone Os, Macos, Ipados · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

3 products

1 product

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Google Android	Version 4.2.2

Running on/with	Platform Versions
Bluproducts Dash	Version 3.5

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Google Android	Version 6.0.1

Running on/with	Platform Versions
Google Nexus 5	All versions

Configuration C

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Google Android	Version 10.0
Google Android	Version 11.0

Running on/with	Platform Versions
Google Pixel 2	All versions

Configuration D

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Google Android	Version 13.0

Running on/with	Platform Versions
Google Pixel 4a	All versions
Google Pixel 6	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Google Android	Version 14.0

Running on/with	Platform Versions
Google Pixel 7	All versions

Configuration F

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 20.04
Canonical Ubuntu Linux	Version 22.04
Canonical Ubuntu Linux	Version 23.10

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Apple Iphone Os	Version 16.6

Running on/with	Platform Versions
Apple Iphone Se	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Apple Macos	Version 12.6.7

Running on/with	Platform Versions
Apple Macbook Air	Version 2017

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Apple Macos	Version 13.3.3

Running on/with	Platform Versions
Apple Macbook Pro	Version m2

Configuration J

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 38
Fedoraproject Fedora	Version 39

Configuration K

3 vulnerable

Vulnerable Software	Affected Versions
Apple Ipados	Before 17.2
Apple Iphone Os	Before 17.2
Apple Macos	From 14.0 to 14.2

Configuration L

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (28)

http://changelogs.ubuntu.com/changelogs/pool/main/b/bluez/bluez_5.64-0ubuntu1/changelog

Source: cve@mitre.org

Release Notes

http://seclists.org/fulldisclosure/2023/Dec/7

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://seclists.org/fulldisclosure/2023/Dec/9

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://bluetooth.com

Source: cve@mitre.org

Not Applicable

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675

Source: cve@mitre.org

Mailing ListPatch

https://github.com/skysafe/reblog/tree/main/cve-2023-45866

Source: cve@mitre.org

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/12/msg00011.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/77YQQS5FXPYE6WBBZO3REFIRAUJHERFA/

Source: cve@mitre.org

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2N2P5LMP3V7IJONALV2KOFL4NUU23CJ/

Source: cve@mitre.org

Mailing List

https://security.gentoo.org/glsa/202401-03

Source: cve@mitre.org

https://support.apple.com/kb/HT214035

Source: cve@mitre.org

Third Party Advisory

https://support.apple.com/kb/HT214036

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2023/dsa-5584

Source: cve@mitre.org

http://changelogs.ubuntu.com/changelogs/pool/main/b/bluez/bluez_5.64-0ubuntu1/changelog

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

http://seclists.org/fulldisclosure/2023/Dec/7

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://seclists.org/fulldisclosure/2023/Dec/9

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://bluetooth.com

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatch

https://github.com/skysafe/reblog/tree/main/cve-2023-45866

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/12/msg00011.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/77YQQS5FXPYE6WBBZO3REFIRAUJHERFA/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2N2P5LMP3V7IJONALV2KOFL4NUU23CJ/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/77YQQS5FXPYE6WBBZO3REFIRAUJHERFA/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2N2P5LMP3V7IJONALV2KOFL4NUU23CJ/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202401-03

Source: af854a3a-2127-422b-91ae-364da2661108

https://support.apple.com/kb/HT214035

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://support.apple.com/kb/HT214036

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2023/dsa-5584

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.