SecuriTricks - CVE-2024-7391

Description

ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability. The specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner's Wi-Fi network. Was ZDI-CAN-21454.

Product(s) Impacted

Vendor	Product	Versions
Chargepoint	Home Flex Firmware Home Flex	5.5.3.13 -

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
o	chargepoint	home_flex_firmware	5.5.3.13	/	/	/	/	/	/	/
h	chargepoint	home_flex	-	/	/	/	/	/	/	/

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1046/

CVSS Score

5.7 / 10

CVSS Data

Attack Vector: ADJACENT_NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: NONE
Availability Impact: NONE

View Vector String

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Date

Published: Nov. 22, 2024, 10:15 p.m.
Last Modified: Dec. 3, 2024, 9:44 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

zdi-disclosures@trendmicro.com

CVE-2024-7391