Refine your search
2 vulnerabilities found for TUNE FLEX by JBL
CVE-2024-2104 (GCVE-0-2024-2104)
Vulnerability from nvd
Published
2025-12-10 12:56
Modified
2025-12-10 16:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| JBL | LIVE PRO 2 TWS |
Version: * |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T16:37:02.427390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T16:37:18.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LIVE PRO 2 TWS",
"vendor": "JBL",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TUNE FLEX",
"vendor": "JBL",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mattar Bernhard from Hummus Sec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper BLE security configurations on the device\u0027s GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable."
}
],
"value": "Due to improper BLE security configurations on the device\u0027s GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T12:56:15.290Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://harman.csaf-tp.certvde.com/.well-known/csaf/white/2025/hbsa-2025-0001.json"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://certvde.com/en/advisories/VDE-2024-076"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JBL: Improper BLE security configurations and lack of authentication on the device\u0027s GATT server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2024-2104",
"datePublished": "2025-12-10T12:56:15.290Z",
"dateReserved": "2024-03-01T16:45:42.526Z",
"dateUpdated": "2025-12-10T16:37:18.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2104 (GCVE-0-2024-2104)
Vulnerability from cvelistv5
Published
2025-12-10 12:56
Modified
2025-12-10 16:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| JBL | LIVE PRO 2 TWS |
Version: * |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T16:37:02.427390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T16:37:18.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LIVE PRO 2 TWS",
"vendor": "JBL",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TUNE FLEX",
"vendor": "JBL",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mattar Bernhard from Hummus Sec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper BLE security configurations on the device\u0027s GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable."
}
],
"value": "Due to improper BLE security configurations on the device\u0027s GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T12:56:15.290Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://harman.csaf-tp.certvde.com/.well-known/csaf/white/2025/hbsa-2025-0001.json"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://certvde.com/en/advisories/VDE-2024-076"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JBL: Improper BLE security configurations and lack of authentication on the device\u0027s GATT server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2024-2104",
"datePublished": "2025-12-10T12:56:15.290Z",
"dateReserved": "2024-03-01T16:45:42.526Z",
"dateUpdated": "2025-12-10T16:37:18.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}