CVE-2024-7391

{"id": "CVE-2024-7391", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "zdi-disclosures@trendmicro.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 2.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2024-11-22T22:15:17.893", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1046/", "tags": ["Third Party Advisory"], "source": "zdi-disclosures@trendmicro.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "zdi-disclosures@trendmicro.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability.\n\nThe specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner's Wi-Fi network. Was ZDI-CAN-21454."}, {"lang": "es", "value": "Vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n de Bluetooth Low Energy en ChargePoint Home Flex. Esta vulnerabilidad permite a los atacantes adyacentes a la red divulgar informaci\u00f3n confidencial sobre las instalaciones afectadas de los dispositivos de carga ChargePoint Home Flex. Se requiere la interacci\u00f3n del usuario para explotar esta vulnerabilidad. La falla espec\u00edfica existe dentro de la l\u00f3gica de configuraci\u00f3n de Wi-Fi. Al conectarse al dispositivo a trav\u00e9s de Bluetooth Low Energy durante el proceso de configuraci\u00f3n, un atacante puede obtener credenciales de Wi-Fi. Un atacante puede aprovechar esta vulnerabilidad para divulgar credenciales y obtener acceso a la red Wi-Fi del propietario del dispositivo. Era ZDI-CAN-21454."}], "lastModified": "2024-12-03T21:44:10.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:chargepoint:home_flex_firmware:5.5.3.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "634EF904-F103-4F4B-8A50-64E4D67B3FD0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:chargepoint:home_flex:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "868D932A-A1D8-46A5-9167-7BC45E5F014B"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com"}