← Back

CVE-2024-5684

nvd nist
Published: Jun 6, 2024Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration interface and then has full access as the user would have. However, an attacker will not have developer or admin rights. If the implementation of the JWT-library is wrongly configured to accept "none"-algorithms, the server will pass insecure JWT. A local, unauthenticated attacker can exploit this vulnerability to bypass the authentication mechanism.

Affected (6)

Vw
2 products
Id.charger Connect Firmware
Id.charger Pro Firmware
Configuration A
3 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Vw
Id.charger Connect Firmware
Version spr3.2 beta
Id.charger Connect Firmware
Version spr3.51
Id.charger Connect Firmware
Version spr3.52
Running on/withPlatform Versions
Vw
Id.charger Connect
All versions
Configuration B
3 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Vw
Id.charger Pro Firmware
Version spr3.2 beta
Id.charger Pro Firmware
Version spr3.51
Id.charger Pro Firmware
Version spr3.52
Running on/withPlatform Versions
Vw
Id.charger Pro
All versions

Related CWEs

CWE-345
Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References (2)

Source: cve@asrg.io
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.