Description

An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration interface and then has full access as the user would have. However, an attacker will not have developer or admin rights. If the implementation of the JWT-library is wrongly configured to accept "none"-algorithms, the server will pass insecure JWT. A local, unauthenticated attacker can exploit this vulnerability to bypass the authentication mechanism.

INFO

Published Date :

2024-06-06T12:54:09.480Z

Last Modified :

2024-08-01T21:18:06.963Z

Source :

ASRG
AFFECTED PRODUCTS

The following products are affected by CVE-2024-5684 vulnerability.

Vendors Products
Vw
  • Id.charger Connect
  • Id.charger Connect Firmware
  • Id.charger Pro
  • Id.charger Pro Firmware
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-5684.

URL Resource
https://asrg.io/security-advisories/vulnerability-in-id-charger-connect-and-pro-from-volkswagen-group-charging-gmbh-elli-evbox-versions-spr3-2b-spr3-51-and-spr3-52/ cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact