CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23298
https://notcve.org/view.php?id=CVE-2023-23298
The `Toybox.Graphics.BufferedBitmap.initialize` API method in CIQ API version 2.3.0 through 4.1.7 does not validate its parameters, which can result in integer overflows when allocating the underlying bitmap buffer. A malicious application could call the API method with specially crafted parameters and hijack the execution of the device's firmware. • https://developer.garmin.com/connect-iq/api-docs/Toybox/Graphics/BufferedBitmap.html#initialize-instance_function https://developer.garmin.com/connect-iq/compatible-devices https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23298.md • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23299
https://notcve.org/view.php?id=CVE-2023-23299
The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ modules, call their functions and disclose sensitive data such as user profile information and GPS coordinates, among others. • https://developer.garmin.com/connect-iq/core-topics/manifest-and-permissions https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23299.md •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23300
https://notcve.org/view.php?id=CVE-2023-23300
The `Toybox.Cryptography.Cipher.initialize` API method in CIQ API version 3.0.0 through 4.1.7 does not validate its parameters, which can result in buffer overflows when copying data. A malicious application could call the API method with specially crafted parameters and hijack the execution of the device's firmware. • https://developer.garmin.com/connect-iq/api-docs/Toybox/Cryptography/Cipher.html#initialize-instance_function https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23300.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23301
https://notcve.org/view.php?id=CVE-2023-23301
The `news` MonkeyC operation code in CIQ API version 1.0.0 through 4.1.7 fails to check that string resources are not extending past the end of the expected sections. A malicious CIQ application could craft a string that starts near the end of a section, and whose length extends past its end. Upon loading the string, the GarminOS TVM component may read out-of-bounds memory. • https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23301.md • CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23302
https://notcve.org/view.php?id=CVE-2023-23302
The `Toybox.GenericChannel.setDeviceConfig` API method in CIQ API version 1.2.0 through 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes. A malicious application could call the API method with specially crafted object and hijack the execution of the device's firmware. • https://developer.garmin.com/connect-iq/api-docs/Toybox/Ant/GenericChannel.html#setDeviceConfig-instance_function https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23302.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •