CVE-2024-2104
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| harman_international | jbl_tune_flex | * |
| harman_international | jbl_live_pro_2_tws | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-2104 is a critical vulnerability in the Bluetooth Low Energy (BLE) Generic Attribute Profile (GATT) server of JBL LIVE PRO 2 TWS and JBL TUNE FLEX headphones. Due to improper BLE security configurations and lack of authentication on the GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service. This allows attackers to manipulate device settings, eavesdrop on data exchanges, and potentially send altered firmware updates, which could lead to unauthorized code execution or render the device unusable. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an adjacent attacker to gain unauthorized control over your device settings, eavesdrop on your data exchanges, and send altered firmware updates. These actions can lead to unauthorized code execution on your device or make the device unusable, severely affecting confidentiality, integrity, and availability of the device. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Currently, there are no known mitigations or remediations available for this vulnerability. The vendor has indicated no fix is planned as of the latest update. Therefore, no immediate mitigation steps can be recommended based on the available information. [1, 2]