cve-2024-7391
Vulnerability from cvelistv5
Published
2024-11-22 21:31
Modified
2024-11-26 15:59
Severity ?
2.6 (Low) - CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability. The specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner's Wi-Fi network. Was ZDI-CAN-21454.
References
zdi-disclosures@trendmicro.comhttps://www.zerodayinitiative.com/advisories/ZDI-24-1046/Third Party Advisory
Impacted products
Vendor Product Version
ChargePoint Home Flex Version: 5.5.3.13
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7391",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-26T15:59:08.355542Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-26T15:59:17.260Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Home Flex",
          "vendor": "ChargePoint",
          "versions": [
            {
              "status": "affected",
              "version": "5.5.3.13"
            }
          ]
        }
      ],
      "dateAssigned": "2024-08-01T15:11:51.576-05:00",
      "datePublic": "2024-08-01T15:21:32.699-05:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability.\n\nThe specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner\u0027s Wi-Fi network. Was ZDI-CAN-21454."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-22T21:31:18.047Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-24-1046",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1046/"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Todd Manning of Trend Micro Research"
      },
      "title": "ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2024-7391",
    "datePublished": "2024-11-22T21:31:18.047Z",
    "dateReserved": "2024-08-01T20:11:51.555Z",
    "dateUpdated": "2024-11-26T15:59:17.260Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-7391\",\"sourceIdentifier\":\"zdi-disclosures@trendmicro.com\",\"published\":\"2024-11-22T22:15:17.893\",\"lastModified\":\"2024-12-03T21:44:10.397\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability.\\n\\nThe specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner\u0027s Wi-Fi network. Was ZDI-CAN-21454.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n de Bluetooth Low Energy en ChargePoint Home Flex. Esta vulnerabilidad permite a los atacantes adyacentes a la red divulgar informaci\u00f3n confidencial sobre las instalaciones afectadas de los dispositivos de carga ChargePoint Home Flex. Se requiere la interacci\u00f3n del usuario para explotar esta vulnerabilidad. La falla espec\u00edfica existe dentro de la l\u00f3gica de configuraci\u00f3n de Wi-Fi. Al conectarse al dispositivo a trav\u00e9s de Bluetooth Low Energy durante el proceso de configuraci\u00f3n, un atacante puede obtener credenciales de Wi-Fi. Un atacante puede aprovechar esta vulnerabilidad para divulgar credenciales y obtener acceso a la red Wi-Fi del propietario del dispositivo. Era ZDI-CAN-21454.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"zdi-disclosures@trendmicro.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":2.6,\"baseSeverity\":\"LOW\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"zdi-disclosures@trendmicro.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:chargepoint:home_flex_firmware:5.5.3.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"634EF904-F103-4F4B-8A50-64E4D67B3FD0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:chargepoint:home_flex:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"868D932A-A1D8-46A5-9167-7BC45E5F014B\"}]}]}],\"references\":[{\"url\":\"https://www.zerodayinitiative.com/advisories/ZDI-24-1046/\",\"source\":\"zdi-disclosures@trendmicro.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-7391\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-26T15:59:08.355542Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-26T15:59:13.782Z\"}}], \"cna\": {\"title\": \"ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability\", \"source\": {\"lang\": \"en\", \"value\": \"Todd Manning of Trend Micro Research\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 2.6, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\"}}], \"affected\": [{\"vendor\": \"ChargePoint\", \"product\": \"Home Flex\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.5.3.13\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2024-08-01T15:21:32.699-05:00\", \"references\": [{\"url\": \"https://www.zerodayinitiative.com/advisories/ZDI-24-1046/\", \"name\": \"ZDI-24-1046\", \"tags\": [\"x_research-advisory\"]}], \"dateAssigned\": \"2024-08-01T15:11:51.576-05:00\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability.\\n\\nThe specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner\u0027s Wi-Fi network. Was ZDI-CAN-21454.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"99f1926a-a320-47d8-bbb5-42feb611262e\", \"shortName\": \"zdi\", \"dateUpdated\": \"2024-11-22T21:31:18.047Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-7391\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-26T15:59:17.260Z\", \"dateReserved\": \"2024-08-01T20:11:51.555Z\", \"assignerOrgId\": \"99f1926a-a320-47d8-bbb5-42feb611262e\", \"datePublished\": \"2024-11-22T21:31:18.047Z\", \"assignerShortName\": \"zdi\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.