Gotenna
CVE-2024-43108
MEDIUM
Severity by source
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (hq) · only source for this CVE.
CVSS VectorVendor: hq
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The goTenna Pro ATAK Plugin uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message. It is advised to continue to use encryption in the plugin and update to the current release for enhanced encryption protocols.
AnalysisAI
The goTenna Pro ATAK Plugin uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-353. The goTenna Pro ATAK Plugin uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message. It is advised to continue to use encryption in the plugin and update to the current release for enhanced encryption protocols. Affected products include: Gotenna.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. Rated medium severity (CVSS 5.3), th
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. Rated high severity (CVSS 7.3), this v
An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. Rated high severity (CVSS 7.3), this
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. Rated high severity (CVSS 7.1), this v
The goTenna Pro ATAK Plugin does not use SecureRandom when generating passwords for sharing cryptographic keys. Rated hi
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. Rated medium severity (CVSS 6.5), this
The goTenna Pro ATAK plugin uses a weak password for sharing encryption keys via the key broadcast method. Rated medium
In the goTenna Pro ATAK Plugin there is a vulnerability that makes it possible to inject any custom message with any GID
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. Rated medium severity (CVSS 5.3), this
The goTenna Pro ATAK Plugin's default settings are to share Automatic Position, Location, and Information (PLI) updates
The goTenna Pro ATAK Plugin encryption key name is always sent unencrypted when the key is sent over RF through a broadc
An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. Rated medium severity (CVSS 4.3), th
Same weakness CWE-353 – Missing Support for Integrity Check
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today