CVE-2024-5684 — MEDIUM (6.3)

Vulnerability Description

An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration interface and then has full access as the user would have. However, an attacker will not have developer or admin rights. If the implementation of the JWT-library is wrongly configured to accept "none"-algorithms, the server will pass insecure JWT. A local, unauthenticated attacker can exploit this vulnerability to bypass the authentication mechanism.

CVSS Score

6.3

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Vw	Id.Charger Connect Firmware	spr3.2
Vw	Id.Charger Connect	-
Vw	Id.Charger Pro Firmware	spr3.2
Vw	Id.Charger Pro	-

Related Weaknesses (CWE)

CWE-345

References

https://asrg.io/security-advisories/vulnerability-in-id-charger-connect-and-pro-Third Party Advisory
https://asrg.io/security-advisories/vulnerability-in-id-charger-connect-and-pro-Third Party Advisory

FAQ

What is CVE-2024-5684?

CVE-2024-5684 is a vulnerability with a CVSS score of 6.3 (MEDIUM). An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the pas...

How severe is CVE-2024-5684?

CVE-2024-5684 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-5684?

Check the references section above for vendor advisories and patch information. Affected products include: Vw Id.Charger Connect Firmware, Vw Id.Charger Connect, Vw Id.Charger Pro Firmware, Vw Id.Charger Pro.