{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7391", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2024-08-01T20:11:51.555Z", "datePublished": "2024-11-22T21:31:18.047Z", "dateUpdated": "2024-11-26T15:59:17.260Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-11-22T21:31:18.047Z"}, "title": "ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability", "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability.\n\nThe specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner's Wi-Fi network. Was ZDI-CAN-21454."}], "affected": [{"vendor": "ChargePoint", "product": "Home Flex", "versions": [{"version": "5.5.3.13", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1046/", "name": "ZDI-24-1046", "tags": ["x_research-advisory"]}], "dateAssigned": "2024-08-01T15:11:51.576-05:00", "datePublic": "2024-08-01T15:21:32.699-05:00", "source": {"lang": "en", "value": "Todd Manning of Trend Micro Research"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 2.6, "baseSeverity": "LOW"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-26T15:59:08.355542Z", "id": "CVE-2024-7391", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-26T15:59:17.260Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-26T15:59:08.355542Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-26T15:59:13.782Z"}}], "cna": {"title": "ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability", "source": {"lang": "en", "value": "Todd Manning of Trend Micro Research"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 2.6, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "ChargePoint", "product": "Home Flex", "versions": [{"status": "affected", "version": "5.5.3.13"}], "defaultStatus": "unknown"}], "datePublic": "2024-08-01T15:21:32.699-05:00", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1046/", "name": "ZDI-24-1046", "tags": ["x_research-advisory"]}], "dateAssigned": "2024-08-01T15:11:51.576-05:00", "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability.\n\nThe specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner's Wi-Fi network. Was ZDI-CAN-21454."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-11-22T21:31:18.047Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7391", "state": "PUBLISHED", "dateUpdated": "2024-11-26T15:59:17.260Z", "dateReserved": "2024-08-01T20:11:51.555Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2024-11-22T21:31:18.047Z", "assignerShortName": "zdi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:chargepoint:home_flex_firmware:5.5.3.13:*:*:*:*:*:*:*", "matchCriteriaId": "634EF904-F103-4F4B-8A50-64E4D67B3FD0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:chargepoint:home_flex:-:*:*:*:*:*:*:*", "matchCriteriaId": "868D932A-A1D8-46A5-9167-7BC45E5F014B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability.\n\nThe specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner's Wi-Fi network. Was ZDI-CAN-21454."}, {"lang": "es", "value": "Vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n de Bluetooth Low Energy en ChargePoint Home Flex. Esta vulnerabilidad permite a los atacantes adyacentes a la red divulgar informaci\u00f3n confidencial sobre las instalaciones afectadas de los dispositivos de carga ChargePoint Home Flex. Se requiere la interacci\u00f3n del usuario para explotar esta vulnerabilidad. La falla espec\u00edfica existe dentro de la l\u00f3gica de configuraci\u00f3n de Wi-Fi. Al conectarse al dispositivo a trav\u00e9s de Bluetooth Low Energy durante el proceso de configuraci\u00f3n, un atacante puede obtener credenciales de Wi-Fi. Un atacante puede aprovechar esta vulnerabilidad para divulgar credenciales y obtener acceso a la red Wi-Fi del propietario del dispositivo. Era ZDI-CAN-21454."}], "id": "CVE-2024-7391", "lastModified": "2024-12-03T21:44:10.397", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-11-22T22:15:17.893", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1046/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}

{}