CVE-2021-34588 : In Bender/ebee Charge Controllers in multiple versions are prone to unprotected

In Bender/ebee Charge Controllers in multiple versions are prone to unprotected data export. Backup export is protected via a random key. The key is set at user login. It is empty after reboot .

Published 2022-04-27 16:15:11

Updated 2022-05-11 16:55:25

Source CERT VDE

View at NVD, CVE.org

Products affected by CVE-2021-34588

Bender » Cc612 Firmware
Versions from including (>=) 5.12.0 and before (<) 5.12.5
cpe:2.3:o:bender:cc612_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bender » Cc612 » Version: N/A
Bender » Cc612 Firmware
Versions from including (>=) 5.11.0 and before (<) 5.11.2
cpe:2.3:o:bender:cc612_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bender » Cc612 » Version: N/A
Bender » Cc612 Firmware
Versions from including (>=) 5.13.0 and before (<) 5.13.2
cpe:2.3:o:bender:cc612_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bender » Cc612 » Version: N/A
Bender » Cc612 Firmware
Versions from including (>=) 5.20.0 and before (<) 5.20.2
cpe:2.3:o:bender:cc612_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bender » Cc612 » Version: N/A
Bender » Icc15xx Firmware
Versions from including (>=) 5.20.0 and before (<) 5.20.2
cpe:2.3:o:bender:icc15xx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bender » Cc613 » Version: N/A
Bender » Icc15xx Firmware
Versions from including (>=) 5.11.0 and before (<) 5.11.2
cpe:2.3:o:bender:icc15xx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bender » Cc613 » Version: N/A
Bender » Icc15xx Firmware
Versions from including (>=) 5.13.0 and before (<) 5.13.2
cpe:2.3:o:bender:icc15xx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bender » Cc613 » Version: N/A
Bender » Icc15xx Firmware
Versions from including (>=) 5.12.0 and before (<) 5.12.5
cpe:2.3:o:bender:icc15xx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bender » Cc613 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-34588

EPSS FAQ

0.27%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 50 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-34588

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
8.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N	3.9	4.0	CERT VDE
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None
8.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N	3.9	4.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-34588

CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Assigned by: info@cert.vde.com (Primary)

References for CVE-2021-34588

https://cert.vde.com/en/advisories/VDE-2021-047

VDE-2021-047 | CERT@VDE
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-34588

Products affected by CVE-2021-34588

Exploit prediction scoring system (EPSS) score for CVE-2021-34588

CVSS scores for CVE-2021-34588

CWE ids for CVE-2021-34588

References for CVE-2021-34588