CVE-2024-2197 MEDIUM

CVE-2024-2197: Chirp Systems Chirp Access Use of Hard-coded Password

Vendor Chirp Systems
Product Chirp Access
Weakness CWE-259
Published March 19, 2024
Last update August 1, 2024

CVSS base score

4.3/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Chirp Access app contains a hard-coded password, BEACON_PASSWORD. An attacker within Bluetooth range could change configuration settings within the Bluetooth beacon, effectively disabling the application's ability to notify users when they are near a Beacon-enabled access point. This variable cannot be used to change the configuration settings of the door readers or locksets and does not affect the ability for authorized users of the mobile application to lock or unlock access points.

Key dates

02Disclosure timeline

March 19, 2024 CVE published
August 1, 2024 Record updated