Skip to content

Commit

Permalink
3 changes (2 new | 1 updated):
Browse files Browse the repository at this point in the history 
      - 2 new CVEs:  CVE-2024-11665, CVE-2024-11666
      - 1 updated CVEs: CVE-2024-9621
  • Loading branch information
cvelistV5 Github Action committed Nov 24, 2024
1 parent b4892cb commit 43f5e45
Show file tree
Hide file tree
Showing 5 changed files with 291 additions and 9 deletions.
121 changes: 121 additions & 0 deletions cves/2024/11xxx/CVE-2024-11665.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2024-11665",
"assignerOrgId": "2d533b80-6e4a-4e20-93e2-171235122846",
"state": "PUBLISHED",
"assignerShortName": "ONEKEY",
"dateReserved": "2024-11-24T22:27:15.904Z",
"datePublished": "2024-11-24T22:32:43.427Z",
"dateUpdated": "2024-11-24T22:32:43.427Z"
},
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cph2_echarge_firmware",
"vendor": "hardy-barth",
"versions": [
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Quentin Kaiser from ONEKEY Research Labs"
}
],
"datePublic": "2024-11-24T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in hardy-barth cph2_echarge_firmware allows OS Command Injection.<p>This issue affects cph2_echarge_firmware: through 2.0.4.</p>"
}
],
"value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in hardy-barth cph2_echarge_firmware allows OS Command Injection.This issue affects cph2_echarge_firmware: through 2.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "2d533b80-6e4a-4e20-93e2-171235122846",
"shortName": "ONEKEY",
"dateUpdated": "2024-11-24T22:32:43.427Z"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.onekey.com/resource/not-all-ev-chargers-are-created-equal"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Remote Command Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
}
}
121 changes: 121 additions & 0 deletions cves/2024/11xxx/CVE-2024-11666.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2024-11666",
"assignerOrgId": "2d533b80-6e4a-4e20-93e2-171235122846",
"state": "PUBLISHED",
"assignerShortName": "ONEKEY",
"dateReserved": "2024-11-24T22:27:19.421Z",
"datePublished": "2024-11-24T22:36:59.989Z",
"dateUpdated": "2024-11-24T22:36:59.989Z"
},
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cph2_echarge_firmware",
"vendor": "hardy-barth",
"versions": [
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Quentin Kaiser from ONEKEY Research Labs"
}
],
"datePublic": "2024-11-24T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Affected devices beacon to eCharge cloud infrastructure asking if there are any command they should run. This communication is established over an insecure channel since peer verification is disabled everywhere. Therefore, remote unauthenticated users&nbsp; suitably positioned on the network between an EV charger controller and eCharge infrastructure can execute arbitrary commands with elevated privileges on affected devices.<br><br><p>This issue affects cph2_echarge_firmware: through 2.0.4.</p>"
}
],
"value": "Affected devices beacon to eCharge cloud infrastructure asking if there are any command they should run. This communication is established over an insecure channel since peer verification is disabled everywhere. Therefore, remote unauthenticated users  suitably positioned on the network between an EV charger controller and eCharge infrastructure can execute arbitrary commands with elevated privileges on affected devices.\n\nThis issue affects cph2_echarge_firmware: through 2.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "2d533b80-6e4a-4e20-93e2-171235122846",
"shortName": "ONEKEY",
"dateUpdated": "2024-11-24T22:36:59.989Z"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.onekey.com/resource/not-all-ev-chargers-are-created-equal"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Remote Command Injection in eCharge Salia PLCC",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
}
}
4 changes: 2 additions & 2 deletions cves/2024/9xxx/CVE-2024-9621.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"assignerShortName": "redhat",
"dateReserved": "2024-10-08T01:08:43.306Z",
"datePublished": "2024-10-08T16:26:09.155Z",
"dateUpdated": "2024-10-15T06:18:04.442Z"
"dateUpdated": "2024-11-24T22:32:55.779Z"
},
"containers": {
"cna": {
Expand Down Expand Up @@ -117,7 +117,7 @@
"providerMetadata": {
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat",
"dateUpdated": "2024-10-15T06:18:04.442Z"
"dateUpdated": "2024-11-24T22:32:55.779Z"
}
},
"adp": [
Expand Down
27 changes: 20 additions & 7 deletions cves/delta.json
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,26 @@
{
"fetchTime": "2024-11-24T22:20:04.658Z",
"numberOfChanges": 1,
"new": [],
"fetchTime": "2024-11-24T22:40:28.738Z",
"numberOfChanges": 3,
"new": [
{
"cveId": "CVE-2024-11665",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-11665",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/11xxx/CVE-2024-11665.json",
"dateUpdated": "2024-11-24T22:32:43.427Z"
},
{
"cveId": "CVE-2024-11666",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-11666",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/11xxx/CVE-2024-11666.json",
"dateUpdated": "2024-11-24T22:36:59.989Z"
}
],
"updated": [
{
"cveId": "CVE-2024-9632",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-9632",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/9xxx/CVE-2024-9632.json",
"dateUpdated": "2024-11-24T22:11:31.731Z"
"cveId": "CVE-2024-9621",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-9621",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/9xxx/CVE-2024-9621.json",
"dateUpdated": "2024-11-24T22:32:55.779Z"
}
],
"error": []
Expand Down
27 changes: 27 additions & 0 deletions cves/deltaLog.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,31 @@
[
{
"fetchTime": "2024-11-24T22:40:28.738Z",
"numberOfChanges": 3,
"new": [
{
"cveId": "CVE-2024-11665",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-11665",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/11xxx/CVE-2024-11665.json",
"dateUpdated": "2024-11-24T22:32:43.427Z"
},
{
"cveId": "CVE-2024-11666",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-11666",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/11xxx/CVE-2024-11666.json",
"dateUpdated": "2024-11-24T22:36:59.989Z"
}
],
"updated": [
{
"cveId": "CVE-2024-9621",
"cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-9621",
"githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/9xxx/CVE-2024-9621.json",
"dateUpdated": "2024-11-24T22:32:55.779Z"
}
],
"error": []
},
{
"fetchTime": "2024-11-24T22:20:04.658Z",
"numberOfChanges": 1,
Expand Down

0 comments on commit 43f5e45

Please sign in to comment.