CVE-2024-29208 (GCVE-0-2024-29208)
Vulnerability from cvelistv5 – Published: 2024-05-07 16:40 – Updated: 2024-08-02 01:10
VLAI?
Summary
An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password.
Affected Products:
UniFi Connect EV Station (Version 1.1.18 and earlier)
UniFi Connect EV Station Pro (Version 1.1.18 and earlier)
UniFi Connect Display (Version 1.9.324 and earlier)
UniFi Connect Display Cast (Version 1.6.225 and earlier)
Mitigation:
Update UniFi Connect Application to Version 3.10.7 or later.
Update UniFi Connect EV Station to Version 1.2.15 or later.
Update UniFi Connect EV Station Pro to Version 1.2.15 or later.
Update UniFi Connect Display to Version 1.11.348 or later.
Update UniFi Connect Display Cast to Version 1.8.255 or later.
Severity ?
CWE
- CWE-521 - Weak Password Requirements
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Ubiquiti Inc | Update UniFi Connect EV Station |
Affected:
1.2.15 , < 1.2.15
(semver)
|
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ubiquiti:unifi_connect_ev_station:1.2.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifi_connect_ev_station",
"vendor": "ubiquiti",
"versions": [
{
"status": "affected",
"version": "1.2.15"
}
]
},
{
"cpes": [
"cpe:2.3:a:ubiquiti:unifi_connect_ev_station_pro:1.2.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifi_connect_ev_station_pro",
"vendor": "ubiquiti",
"versions": [
{
"status": "affected",
"version": "1.2.15"
}
]
},
{
"cpes": [
"cpe:2.3:a:ubiquiti:unifi_connect_display:1.11.348:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifi_connect_display",
"vendor": "ubiquiti",
"versions": [
{
"status": "affected",
"version": "1.11.348"
}
]
},
{
"cpes": [
"cpe:2.3:a:ubiquiti:unifi_connect_display_cast:1.8.255:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "unifi_connect_display_cast",
"vendor": "ubiquiti",
"versions": [
{
"status": "affected",
"version": "1.8.255"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T15:45:33.305337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:11.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Update UniFi Connect EV Station",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.2.15",
"status": "affected",
"version": "1.2.15",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Update UniFi Connect EV Station Pro",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.2.15",
"status": "affected",
"version": "1.2.15",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Update UniFi Connect Display",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.11.348",
"status": "affected",
"version": "1.11.348",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Update UniFi Connect Display Cast ",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.8.255",
"status": "affected",
"version": "1.8.255",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password.\n\n \n\nAffected Products:\n\nUniFi Connect EV Station (Version 1.1.18 and earlier) \n\nUniFi Connect EV Station Pro (Version 1.1.18 and earlier)\n\nUniFi Connect Display (Version 1.9.324 and earlier)\n\nUniFi Connect Display Cast (Version 1.6.225 and earlier)\n\n \n\nMitigation:\n\nUpdate UniFi Connect Application to Version 3.10.7 or later.\n\nUpdate UniFi Connect EV Station to Version 1.2.15 or later.\n\nUpdate UniFi Connect EV Station Pro to Version 1.2.15 or later.\n\nUpdate UniFi Connect Display to Version 1.11.348 or later.\n\nUpdate UniFi Connect Display Cast to Version 1.8.255 or later."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 2.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-05-07T16:40:02.495Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2024-29208",
"datePublished": "2024-05-07T16:40:02.495Z",
"dateReserved": "2024-03-19T01:04:06.323Z",
"dateUpdated": "2024-08-02T01:10:54.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password.\\n\\n \\n\\nAffected Products:\\n\\nUniFi Connect EV Station (Version 1.1.18 and earlier) \\n\\nUniFi Connect EV Station Pro (Version 1.1.18 and earlier)\\n\\nUniFi Connect Display (Version 1.9.324 and earlier)\\n\\nUniFi Connect Display Cast (Version 1.6.225 and earlier)\\n\\n \\n\\nMitigation:\\n\\nUpdate UniFi Connect Application to Version 3.10.7 or later.\\n\\nUpdate UniFi Connect EV Station to Version 1.2.15 or later.\\n\\nUpdate UniFi Connect EV Station Pro to Version 1.2.15 or later.\\n\\nUpdate UniFi Connect Display to Version 1.11.348 or later.\\n\\nUpdate UniFi Connect Display Cast to Version 1.8.255 or later.\"}, {\"lang\": \"es\", \"value\": \"Un cambio de contrase\\u00f1a no verificado podr\\u00eda permitir que un actor malintencionado con acceso API al dispositivo cambie la contrase\\u00f1a del sistema sin conocer la contrase\\u00f1a anterior. Productos afectados: UniFi Connect EV Station (versi\\u00f3n 1.1.18 y anteriores) UniFi Connect EV Station Pro (versi\\u00f3n 1.1.18 y anteriores) UniFi Connect Display (versi\\u00f3n 1.9.324 y anteriores) UniFi Connect Display Cast (versi\\u00f3n 1.6.225 y anteriores) ) Mitigaci\\u00f3n: actualice la aplicaci\\u00f3n UniFi Connect a la versi\\u00f3n 3.10.7 o posterior. Actualice UniFi Connect EV Station a la versi\\u00f3n 1.2.15 o posterior. Actualice UniFi Connect EV Station Pro a la versi\\u00f3n 1.2.15 o posterior. Actualice UniFi Connect Display a la versi\\u00f3n 1.11.348 o posterior. Actualice UniFi Connect Display Cast a la versi\\u00f3n 1.8.255 o posterior.\"}]",
"id": "CVE-2024-29208",
"lastModified": "2024-11-21T09:07:49.330",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"support@hackerone.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 2.2, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.7, \"impactScore\": 1.4}]}",
"published": "2024-05-07T17:15:08.330",
"references": "[{\"url\": \"https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09\", \"source\": \"support@hackerone.com\"}, {\"url\": \"https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-521\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-29208\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2024-05-07T17:15:08.330\",\"lastModified\":\"2024-11-21T09:07:49.330\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password.\\n\\n \\n\\nAffected Products:\\n\\nUniFi Connect EV Station (Version 1.1.18 and earlier) \\n\\nUniFi Connect EV Station Pro (Version 1.1.18 and earlier)\\n\\nUniFi Connect Display (Version 1.9.324 and earlier)\\n\\nUniFi Connect Display Cast (Version 1.6.225 and earlier)\\n\\n \\n\\nMitigation:\\n\\nUpdate UniFi Connect Application to Version 3.10.7 or later.\\n\\nUpdate UniFi Connect EV Station to Version 1.2.15 or later.\\n\\nUpdate UniFi Connect EV Station Pro to Version 1.2.15 or later.\\n\\nUpdate UniFi Connect Display to Version 1.11.348 or later.\\n\\nUpdate UniFi Connect Display Cast to Version 1.8.255 or later.\"},{\"lang\":\"es\",\"value\":\"Un cambio de contrase\u00f1a no verificado podr\u00eda permitir que un actor malintencionado con acceso API al dispositivo cambie la contrase\u00f1a del sistema sin conocer la contrase\u00f1a anterior. Productos afectados: UniFi Connect EV Station (versi\u00f3n 1.1.18 y anteriores) UniFi Connect EV Station Pro (versi\u00f3n 1.1.18 y anteriores) UniFi Connect Display (versi\u00f3n 1.9.324 y anteriores) UniFi Connect Display Cast (versi\u00f3n 1.6.225 y anteriores) ) Mitigaci\u00f3n: actualice la aplicaci\u00f3n UniFi Connect a la versi\u00f3n 3.10.7 o posterior. Actualice UniFi Connect EV Station a la versi\u00f3n 1.2.15 o posterior. Actualice UniFi Connect EV Station Pro a la versi\u00f3n 1.2.15 o posterior. Actualice UniFi Connect Display a la versi\u00f3n 1.11.348 o posterior. Actualice UniFi Connect Display Cast a la versi\u00f3n 1.8.255 o posterior.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":2.2,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.7,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-521\"}]}],\"references\":[{\"url\":\"https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09\",\"source\":\"support@hackerone.com\"},{\"url\":\"https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T01:10:54.459Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-29208\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-09T15:45:33.305337Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ubiquiti:unifi_connect_ev_station:1.2.15:*:*:*:*:*:*:*\"], \"vendor\": \"ubiquiti\", \"product\": \"unifi_connect_ev_station\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.2.15\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:ubiquiti:unifi_connect_ev_station_pro:1.2.15:*:*:*:*:*:*:*\"], \"vendor\": \"ubiquiti\", \"product\": \"unifi_connect_ev_station_pro\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.2.15\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:ubiquiti:unifi_connect_display:1.11.348:*:*:*:*:*:*:*\"], \"vendor\": \"ubiquiti\", \"product\": \"unifi_connect_display\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.11.348\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:ubiquiti:unifi_connect_display_cast:1.8.255:*:*:*:*:*:*:*\"], \"vendor\": \"ubiquiti\", \"product\": \"unifi_connect_display_cast\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.8.255\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-521\", \"description\": \"CWE-521 Weak Password Requirements\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-09T15:45:09.305Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"metrics\": [{\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 2.2, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"Ubiquiti Inc\", \"product\": \"Update UniFi Connect EV Station\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.2.15\", \"lessThan\": \"1.2.15\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Ubiquiti Inc\", \"product\": \"Update UniFi Connect EV Station Pro\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.2.15\", \"lessThan\": \"1.2.15\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Ubiquiti Inc\", \"product\": \"Update UniFi Connect Display\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.11.348\", \"lessThan\": \"1.11.348\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Ubiquiti Inc\", \"product\": \"Update UniFi Connect Display Cast \", \"versions\": [{\"status\": \"affected\", \"version\": \"1.8.255\", \"lessThan\": \"1.8.255\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password.\\n\\n \\n\\nAffected Products:\\n\\nUniFi Connect EV Station (Version 1.1.18 and earlier) \\n\\nUniFi Connect EV Station Pro (Version 1.1.18 and earlier)\\n\\nUniFi Connect Display (Version 1.9.324 and earlier)\\n\\nUniFi Connect Display Cast (Version 1.6.225 and earlier)\\n\\n \\n\\nMitigation:\\n\\nUpdate UniFi Connect Application to Version 3.10.7 or later.\\n\\nUpdate UniFi Connect EV Station to Version 1.2.15 or later.\\n\\nUpdate UniFi Connect EV Station Pro to Version 1.2.15 or later.\\n\\nUpdate UniFi Connect Display to Version 1.11.348 or later.\\n\\nUpdate UniFi Connect Display Cast to Version 1.8.255 or later.\"}], \"providerMetadata\": {\"orgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"shortName\": \"hackerone\", \"dateUpdated\": \"2024-05-07T16:40:02.495Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-29208\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T01:10:54.459Z\", \"dateReserved\": \"2024-03-19T01:04:06.323Z\", \"assignerOrgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"datePublished\": \"2024-05-07T16:40:02.495Z\", \"assignerShortName\": \"hackerone\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…