CVE-2023-25758

Source
https://cve.org/CVERecord?id=CVE-2023-25758
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25758.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-25758
Published
2023-02-14T00:00:00Z
Modified
2026-07-15T01:49:17.122900314Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Onekey Touch devices through 4.0.0 and Onekey Mini devices through 2.10.0 allow man-in-the-middle attackers to obtain the seed phase. The man-in-the-middle access can only be obtained after disassembling a device (i.e., here, "man-in-the-middle" does not refer to the attacker's position on an IP network). NOTE: the vendor states that "our hardware team has updated the security patch without anyone being affected."

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25758.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/onekeyhq/firmware

Affected ranges

Type
GIT
Repo
https://github.com/onekeyhq/firmware
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.0.0"
        },
        {
            "fixed": "2.10.0"
        }
    ],
    "source": "DESCRIPTION"
}

Affected versions

bixin/v1.*
bixin/v1.9.4
bixin/v1.9.4.1
bixin/v1.9.5
bixin/v1.9.6
bixin/v1.9.7
bixin/v1.9.8
core/bl2.*
core/bl2.0.0
core/bl2.0.1
core/bl2.0.2
core/br2.*
core/br2.0.0
core/br2.0.1
core/v2.*
core/v2.0.10
core/v2.0.5
core/v2.0.6
core/v2.0.7
core/v2.0.8
core/v2.0.9
mini/v2.*
mini/v2.3.0
mini/v2.4.0
mini/v2.5.0
mini/v2.6.0
mini/v2.7.0
mini/v2.8.0
onekey/v2.*
onekey/v2.0.3
onekey/v2.0.4
python/v0.*
python/v0.11.3
python/v0.11.4
python/v0.11.5
python/v0.12.0
python/v0.12.1
python/v0.12.2
touch/v3.*
touch/v3.4.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25758.json"