[Japanese]

JVNDB-2014-000049

050 plus for Android information management vulnerability

Overview

050 plus for Android contains an information management vulnerability.

050 plus provided by NTT Communications is an IP phone application for smartphones. 050 plus for Android contains an information management vulnerability that outputs some pieces of information stored by the product to a system log file on the device.

Ryo SATO reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products


NTT Communications Corporation
  • 050 plus for Android 4.2.0 and earlier

Impact

Android applications with permissions to read system log files may obtain log information stored by the product.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.

Note that information stored in the system log may not be deleted by software update. Please be aware when installing an application that is capable of reading log files on the device.
Vendor Information

NTT Communications Corporation
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-2000
References

  1. JVN : JVN#07677464
  2. National Vulnerability Database (NVD) : CVE-2014-2000
Revision History

[2014/06/17]
  Web page was published
[2014/06/23]
  References : Content was added