CVE-2023-50230

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-50230
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-50230.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-50230
Downstream
Related
Published
2024-05-03T03:16:11Z
Modified
2025-09-16T07:33:13.578754Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device.

The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20938.

References

Affected packages

Debian:11 / bluez

Package

Name
bluez
Purl
pkg:deb/debian/bluez?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.55-3.1+deb11u2

Affected versions

5.*

5.55-3.1
5.55-3.1+deb11u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / bluez

Package

Name
bluez
Purl
pkg:deb/debian/bluez?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.66-1+deb12u2

Affected versions

5.*

5.66-1
5.66-1+deb12u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / bluez

Package

Name
bluez
Purl
pkg:deb/debian/bluez?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.70-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / bluez

Package

Name
bluez
Purl
pkg:deb/debian/bluez?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.70-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/bluez/bluez

Affected ranges

Type
GIT
Repo
https://github.com/bluez/bluez
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5ab5352531a9cc7058cce569607f3a6831464443

Affected versions

4.*

4.0
4.1
4.10
4.100
4.101
4.11
4.12
4.13
4.14
4.15
4.16
4.17
4.18
4.19
4.2
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.27
4.28
4.29
4.3
4.30
4.31
4.32
4.33
4.34
4.35
4.36
4.37
4.38
4.39
4.4
4.40
4.41
4.42
4.43
4.44
4.45
4.46
4.47
4.48
4.49
4.5
4.50
4.51
4.52
4.53
4.54
4.55
4.56
4.57
4.58
4.59
4.6
4.60
4.61
4.62
4.63
4.64
4.65
4.66
4.67
4.68
4.69
4.7
4.70
4.71
4.72
4.73
4.74
4.75
4.76
4.77
4.78
4.79
4.8
4.80
4.81
4.82
4.83
4.84
4.85
4.86
4.87
4.88
4.89
4.9
4.90
4.91
4.92
4.93
4.94
4.95
4.96
4.97
4.98
4.99

5.*

5.0
5.1
5.10
5.11
5.12
5.13
5.14
5.15
5.16
5.17
5.18
5.19
5.2
5.20
5.21
5.22
5.23
5.24
5.25
5.26
5.27
5.28
5.29
5.3
5.30
5.31
5.32
5.33
5.34
5.35
5.36
5.37
5.38
5.39
5.4
5.40
5.41
5.42
5.43
5.44
5.45
5.46
5.47
5.48
5.49
5.5
5.50
5.51
5.52
5.53
5.54
5.55
5.56
5.57
5.58
5.59
5.6
5.60
5.61
5.62
5.63
5.64
5.65
5.66
5.67
5.68
5.69
5.7
5.8
5.9

libs-2.*

libs-2.0
libs-2.0-pre10
libs-2.0-pre7
libs-2.0-pre8
libs-2.0-pre9
libs-2.1
libs-2.10
libs-2.11
libs-2.12
libs-2.13
libs-2.14
libs-2.15
libs-2.16
libs-2.17
libs-2.18
libs-2.19
libs-2.2
libs-2.20
libs-2.21
libs-2.22
libs-2.23
libs-2.24
libs-2.25
libs-2.3
libs-2.4
libs-2.5
libs-2.6
libs-2.7
libs-2.8
libs-2.9

libs-3.*

libs-3.0
libs-3.1
libs-3.10
libs-3.11
libs-3.12
libs-3.13
libs-3.14
libs-3.15
libs-3.16
libs-3.17
libs-3.18
libs-3.19
libs-3.2
libs-3.20
libs-3.21
libs-3.22
libs-3.23
libs-3.24
libs-3.25
libs-3.26
libs-3.27
libs-3.28
libs-3.29
libs-3.3
libs-3.30
libs-3.31
libs-3.32
libs-3.33
libs-3.34
libs-3.35
libs-3.36
libs-3.4
libs-3.5
libs-3.6
libs-3.7
libs-3.8
libs-3.9

utils-2.*

utils-2.0
utils-2.0-pre10
utils-2.0-pre11
utils-2.0-pre12
utils-2.0-pre7
utils-2.0-pre8
utils-2.0-pre9
utils-2.1
utils-2.10
utils-2.11
utils-2.12
utils-2.13
utils-2.14
utils-2.15
utils-2.16
utils-2.17
utils-2.18
utils-2.19
utils-2.2
utils-2.20
utils-2.21
utils-2.22
utils-2.23
utils-2.24
utils-2.25
utils-2.3
utils-2.4
utils-2.5
utils-2.6
utils-2.7
utils-2.8
utils-2.9

utils-3.*

utils-3.0
utils-3.1
utils-3.10
utils-3.10.1
utils-3.11
utils-3.12
utils-3.13
utils-3.14
utils-3.15
utils-3.16
utils-3.17
utils-3.18
utils-3.19
utils-3.2
utils-3.20
utils-3.21
utils-3.22
utils-3.23
utils-3.24
utils-3.25
utils-3.26
utils-3.27
utils-3.28
utils-3.29
utils-3.3
utils-3.30
utils-3.31
utils-3.32
utils-3.33
utils-3.34
utils-3.35
utils-3.36
utils-3.4
utils-3.5
utils-3.6
utils-3.6.1
utils-3.7
utils-3.8
utils-3.9

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "129905515860770125204907878770854051751",
                "length": 831.0
            },
            "source": "https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443",
            "id": "CVE-2023-50230-51063d89",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "function": "read_version",
                "file": "obexd/client/pbap.c"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "164425567483586797048056782771521406564",
                    "339243539476488535186301626308607492346",
                    "26029931549650522073502581951593648305",
                    "56338152221748842126145501726730413299",
                    "56544350967026370986741586863287295304",
                    "140782047637023207733316715606570148485",
                    "285438267478055345032039066623780983565",
                    "87185564937850498998972364784924109268"
                ]
            },
            "source": "https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443",
            "id": "CVE-2023-50230-d79d2322",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "obexd/client/pbap.c"
            },
            "signature_type": "Line"
        }
    ]
}