Cyber Resilience

CVE-2022-39870

MediumLPE

Published: 07 October 2022

Published
07 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0018 38.7th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39870 is a medium-severity Improper Access Control (CWE-284) vulnerability in Samsung Smartthings. Its CVSS base score is 4.0 (Medium).

Operationally, ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

samsung
smartthings
≤ 1.7.89.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-668

Enforces rules governing access to the system and its data from external systems based on established trust relationships.

addresses: CWE-284 CWE-668

This control requires verifying that a sharing partner's access authorizations match the information's restrictions before sharing occurs.

addresses: CWE-284 CWE-668

Designating authorized individuals and mandating pre/post-publication reviews enforces access controls on who can publish content publicly.

addresses: CWE-284 CWE-668

Provides monitoring and protection against data mining patterns that exploit improper access controls to extract data.

addresses: CWE-284 CWE-668

Enforcing approved authorizations for information flows directly implements access control over data movements within and between systems.

addresses: CWE-284 CWE-668

Authorizing and reviewing internal connections enforces proper access control over system interfaces.

addresses: CWE-284 CWE-668

Identifying users with access to specific system components supports enforcement of proper access controls on information.

addresses: CWE-284 CWE-668

The control enforces access restrictions on media, directly mitigating improper access control weaknesses.

References