CVE-2023-23301

Name of the Vulnerable Software and Affected Versions CIQ API versions 1.0.0 through 4.1.7

Description The issue arises from the news MonkeyC operation code in the CIQ API, which fails to properly check string resources, allowing them to extend past the expected sections. A malicious CIQ application could exploit this by crafting a string that starts near the end of a section and extends past it, causing the GarminOS TVM component to read out-of-bounds memory.

Recommendations For CIQ API versions 1.0.0 through 4.1.7, as a temporary workaround, consider restricting the use of the news MonkeyC operation code until a patch is available. Avoid using strings that could extend past the end of expected sections in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.