Cyber Resilience

CVE-2023-31191

Critical

Published: 11 July 2023

Published
11 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0004 12.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31191 is a critical-severity Omission of Security-relevant Information (CWE-223) vulnerability in Bluemark Dronescout Ds230 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an information loss vulnerability through traffic injection. An attacker can exploit this vulnerability by injecting, on carefully selected channels, high power spoofed Open Drone ID (ODID) messages which force…

more

the DroneScout ds230 Remote ID receiver to drop real Remote ID (RID) information and, instead, generate and transmit JSON encoded MQTT messages containing crafted RID information. Consequently, the MQTT broker, typically operated by a system integrator, will have no access to the drones’ real RID information. This issue affects the adjacent channel suppression algorithm present in DroneScout ds230 firmware from version 20211210-1627 through 20230329-1042.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bluemark
dronescout ds230 firmware
20211210-1627 — 20230329-1042

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References