[Japanese]

JVNDB-2016-000055

kintone mobile for Android information management vulnerability

Overview

kintone mobile for Android provided by Cybozu, Inc. contains an authentication information management vulnerability.

Kusano Kazuhiko and Gopinath reported this vulnerability to the developer.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 2.5 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Cybozu, Inc.
  • kintone mobile for Android 1.0.0 to 1.0.5

Impact

* If using Android versions prior to 4.1, the token may be disclosed by an application with READ_LOGS permission or by a user who can access the device.

* If using Android version 4.1 or later, the token may be disclosed by a user who can access the device.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-1185
References

  1. JVN : JVN#89026267
  2. National Vulnerability Database (NVD) : CVE-2016-1185
Revision History

  • [2016/04/25]
      Web page was published
    [2016/06/01]
      References : Content was added