Vulnerability Details : CVE-2018-18071
An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 for iOS. The encrypted Connected Vehicle API data exchange between the app and a server might be intercepted. The app can be used to operate the Remote Parking Pilot, unlock the vehicle, or obtain sensitive information such as latitude, longitude, and direction of travel.
Products affected by CVE-2018-18071
- cpe:2.3:a:mercedes-benz:mercedes_me:2.11.0:*:*:*:*:iphone_os:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-18071
1.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-18071
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-18071
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-18071
-
https://www.scip.ch/en/?labs.20180405
Car Hacking - Analysis of the Mercedes Connected Vehicle APIExploit;Technical Description;Third Party Advisory
-
https://vuldb.com/?id.125081
Daimler Mercedes Me App 2.11.0-846 on iOS Certificate Pinning Man-in-the-Middle weak encryptionExploit;Third Party Advisory;VDB Entry
Jump to