{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43201", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2024-08-07T15:17:44.837Z", "datePublished": "2024-09-23T19:11:39.193Z", "dateUpdated": "2025-02-28T17:23:31.051Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11)."}], "affected": [{"vendor": "Planet Fitness", "product": "Planet Fitness Workouts", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "9.9.13", "versionType": "custom"}, {"version": "9.9.13", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE", "cweId": "CWE-295"}]}], "metrics": [{"cvssV3_1": {"baseScore": 8.8, "baseSeverity": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "format": "CVSS"}, {"cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 8.7, "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T20:03:29.085717Z", "id": "CVE-2024-43201", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "Planet Fitness Workouts mobile apps do not properly validate TLS certificates", "references": [{"name": "url", "url": "https://apps.apple.com/us/app/planet-fitness-workouts/id399857015"}, {"name": "url", "url": "https://dontvacuum.me/bugs/pf/"}], "credits": [{"value": "Dennis Giese", "lang": "en"}, {"value": "Braelynn Luedtke", "lang": "en"}], "datePublic": "2024-09-23T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2025-02-28T17:23:31.051Z"}}, "adp": [{"affected": [{"vendor": "planet_fitness", "product": "planet_fitness_workouts", "cpes": ["cpe:2.3:a:planet_fitness:planet_fitness_workouts:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "9.8.12", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T19:24:12.369366Z", "id": "CVE-2024-43201", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:55:27.448Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43201", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-23T19:24:12.369366Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:planet_fitness:planet_fitness_workouts:*:*:*:*:*:*:*:*"], "vendor": "planet_fitness", "product": "planet_fitness_workouts", "versions": [{"status": "affected", "version": "0", "lessThan": "9.8.12", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:24:22.207Z"}}], "cna": {"title": "Planet Fitness Workouts mobile apps do not properly validate TLS certificates", "credits": [{"lang": "en", "value": "Dennis Giese"}, {"lang": "en", "value": "Braelynn Luedtke"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 8.7, "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-43201", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-23T20:03:29.085717Z"}}}], "affected": [{"vendor": "Planet Fitness", "product": "Planet Fitness Workouts", "versions": [{"status": "affected", "version": "0", "lessThan": "9.9.13", "versionType": "custom"}, {"status": "unaffected", "version": "9.9.13"}], "defaultStatus": "unknown"}], "datePublic": "2024-09-23T00:00:00.000Z", "references": [{"url": "https://apps.apple.com/us/app/planet-fitness-workouts/id399857015", "name": "url"}, {"url": "https://dontvacuum.me/bugs/pf/", "name": "url"}], "descriptions": [{"lang": "en", "value": "The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2025-02-28T17:23:31.051Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43201", "state": "PUBLISHED", "dateUpdated": "2025-02-28T17:23:31.051Z", "dateReserved": "2024-08-07T15:17:44.837Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2024-09-23T19:11:39.193Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:planetfitness:planet_fitness_workouts:*:*:*:*:*:*:*:*", "matchCriteriaId": "F93B99AE-0F4C-4F84-BA83-050AB739D639", "versionEndExcluding": "9.8.12", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5415705-33E5-46D5-8E4D-9EBADC8C5705", "vulnerable": false}, {"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11)."}, {"lang": "es", "value": "Las aplicaciones m\u00f3viles iOS y Android de Planet Fitness Workouts anteriores a la versi\u00f3n 9.8.12 (lanzada el 25 de julio de 2024) no logran validar correctamente los certificados TLS, lo que permite que un atacante con acceso de red adecuado obtenga tokens de sesi\u00f3n e informaci\u00f3n confidencial."}], "id": "CVE-2024-43201", "lastModified": "2025-02-28T18:15:27.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2024-09-23T20:15:04.973", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Product"], "url": "https://apps.apple.com/us/app/planet-fitness-workouts/id399857015"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Exploit", "Third Party Advisory"], "url": "https://dontvacuum.me/bugs/pf/"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}