CVE-2024-5684

CVSS V2 None CVSS V3 None

Description

An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration interface and then has full access as the user would have. However, an attacker will not have developer or admin rights. If the implementation of the JWT-library is wrongly configured to accept "none"-algorithms, the server will pass insecure JWT. A local, unauthenticated attacker can exploit this vulnerability to bypass the authentication mechanism.

Overview

CVE ID
CVE-2024-5684

Assigner
ASRG

Vulnerability Status
PUBLISHED

Published Version
2024-06-06T12:54:09.480Z

Last Modified Date
2024-06-06T13:40:30.790Z

Weakness Enumerations

CWE	URL
CWE-345	http://cwe.mitre.org/data/definitions/345.html

References

Reference URL	Reference Tags
https://asrg.io/security-advisories/vulnerability-in-id-charger-connect-and-pro-from-volkswagen-group-charging-gmbh-elli-evbox-versions-spr3-2b-spr3-51-and-spr3-52/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-5684
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5684

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 03:21:24				Added to TrackCVE