An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration interface and then has full access as the user would have. However, an attacker will not have developer or admin rights. If the implementation of the JWT-library is wrongly configured to accept "none"-algorithms, the server will pass insecure JWT. A local, unauthenticated attacker can exploit this vulnerability to bypass the authentication mechanism.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: ASRG

Published: 2024-06-06T12:54:09.480Z

Updated: 2024-08-01T21:18:06.963Z

Reserved: 2024-06-06T12:47:48.760Z

Link: CVE-2024-5684

cve-icon Vulnrichment

Updated: 2024-08-01T21:18:06.963Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T13:15:32.027

Modified: 2024-11-21T09:48:09.440

Link: CVE-2024-5684

cve-icon Redhat

No data.