CVE-2020-5523

Sažetak

Android App 'MyPallete' and some of the Android banking applications based on 'MyPallete' do not verify X.509 certificates from servers, and also do not properly validate certificates with host-mismatch, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Reference

http://jvn.jp/en/jp/JVN28845872/index.html
http://www.dokodemobank.ne.jp/info_20200128_bankingapp.html
https://www.77bank.co.jp/pdf/oshirase/20012801_appvulnerability.pdf
https://www.ashikagabank.co.jp/appbanking/pdf/oshirase.pdf
https://www.hokkaidobank.co.jp/common/dat/2020/0120/15795047141946146699.pdf
https://www.hokugin.co.jp/info/archives/personal/2020/1913.html
https://www.naganobank.co.jp/soshiki/2/app-ssl.html
https://www.shikokubank.co.jp/info/apps20200128.html
https://www.sihd-bk.jp/common_v2/pdf/20200127.pdf
https://www.tohoku-bank.co.jp/news/topics/200128_applissl.html

CVSS

Base:	5.8
Impact:	4.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:N

Zadnje važnije ažuriranje

31-01-2020 - 20:24

Objavljeno

28-01-2020 - 06:15