|
[Japanese]
|
JVNDB-2024-000013
|
Android App "Spoon" uses a hard-coded API key for an external service
|
|
Android App "Spoon" provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service (CWE-798).
Yoshihito Sakai of BroadBand Security, Inc reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.1 (Low) [IPA Score]
- Access Vector: Local
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
|
|
|
Spoon Radio Japan Inc.
- Android Spoon application version 7.11.1 to 8.6.0
|
|
|
The hard-coded API key may be retrieved when the application binary is reverse-engineered.
This API key may be used for unexpected access of the associated service.
Note that the application users are not directly affected by this vulnerability.
|
|
[Update the Application]
Update the application to the latest version according to the information provided by the developer.
This vulnerability has been fixed in Android Spoon application version 8.6.1 or later.
|
|
Spoon Radio Japan Inc.
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2024-23453
|
|
- JVN : JVN#96154238
- National Vulnerability Database (NVD) : CVE-2024-23453
|
|
- [2024/01/23]
Web page was published
- [2024/01/24]
Overview was modified
- [2024/03/14]
References : Content was added
|
