[Japanese]

JVNDB-2020-000065

Multiple access restriction bypass vulnerabilities in UNIQLO App

Overview

UNIQLO App provided by UNIQLO CO., LTD. contains multiple access restriction bypass vulnerabilities below.
A remote attacker may be able to lead a user to access an arbitrary website via the vulnerable App.
* The App launched by a Custom URL Scheme may lead a user to access an arbitrary URL - CVE-2020-5628
* The App may receive an Intent from an arbitrary App which may lead a user to access an arbitrary URL requested by an Intent - CVE-2020-5629

Satoru Nagaoka of Cyber Defense Institute, Inc. reported CVE-2020-5628 vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

UNIQLO CO., LTD. reported CVE-2020-5629 vulnerability to JPCERT/CC to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5628

CVSS V3 Severity:
Base Metrics: 3.3 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5629
Affected Products


Uniqlo
  • Uniqlo App for Android versions 7.3.3 and earlier

Impact

A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
Solution

[Update the Application]
Update the application to the latest version according to the information provided by the developer.
The vulnerability is fixed in version 7.3.4.
Vendor Information

Uniqlo
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5628
  2. CVE-2020-5629
References

  1. JVN : JVN#31864411
  2. National Vulnerability Database (NVD) : CVE-2020-5628
  3. National Vulnerability Database (NVD) : CVE-2020-5629
Revision History

  • [2020/09/17]
      Web page was published

Date Public2020/09/17
Date First Published2020/09/17
Date Last Updated2020/09/17