Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-24023

Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 6.8, indicating it requires adjacent network access but requires specific conditions to be met without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), for affected systems. Impacting 10 products from bluetooth, from microsoft, from microsoft and 7 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2023, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2023-11-28T07:15:41.340

Last Modified

2024-11-21T07:47:16.593

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.8 (MEDIUM)

Weaknesses
  • Type: Primary
    NVD-CWE-noinfo
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application bluetooth bluetooth_core_specification ≤ 5.4 Yes
Operating System microsoft windows_10_1809 < 10.0.17763.5122 Yes
Operating System microsoft windows_10_21h2 < 10.0.19043.3693 Yes
Operating System microsoft windows_10_22h2 < 10.0.19045.3693 Yes
Operating System microsoft windows_11_21h2 < 10.0.22000.2600 Yes
Operating System microsoft windows_11_22h2 < 10.0.22621.2715 Yes
Operating System microsoft windows_11_23h2 < 10.0.22631.2715 Yes
Operating System microsoft windows_server_2019 < 10.0.17763.5122 Yes
Operating System microsoft windows_server_2022 < 10.0.20348.2113 Yes
Operating System microsoft windows_server_2022_23h2 < 10.0.25398.531 Yes
References

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For bluetooth's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.