JVNDB-2020-000007

[Japanese]
JVNDB-2020-000007
Android App "MyPallete" vulnerable to improper server certificate verification
Overview
Android App "MyPallete" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers. "MyPallete" is vulnerable to improper server certificate verification (CWE-295) and to improper host-matching validation (CWE-297). Dai Nakamura of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 4.8 (Medium) [IPA Score] Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: Low Integrity Impact: Low Availability Impact: None CVSS V2 Severity: Base Metrics 4.0 (Medium) [IPA Score] Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
Affected Products

(Multiple Venders) (Multiple Products) Android applications based on "MyPallete" NTT DATA MyPallete Android App
As for the details of the affected Android applications using "MyPallete", refer to the information under the section [Vendor Status].
Impact
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
Solution
[Update the Application] Apply the latest update according to the information provided by the developer and/or respective financial institutions.
Vendor Information
(Multiple Venders) (Related Products) : Official Announcement from The Ashikaga Bank, Ltd. (in Japanese) (Related Products) : Official Announcement from The Senshu Ikeda Bank, Ltd. (in Japanese) (Related Products) : Official Announcement from Shikoku Bank, Ltd. (in Japanese) (Related Products) : Official Announcement from The Tohoku Bank, Ltd. (in Japanese) (Related Products) : Official Announcement from THE NAGANOBANK, LTD (in Japanese) (Related Products) : Official Announcement from The 77 bank, Ltd. (in Japanese) (Related Products) : Official Announcement from The Hokkaido Bank,Ltd. (in Japanese) (Related Products) : Official Announcement from THE HOKURIKU BANK, LTD. (in Japanese) NTT DATA NTT DATA Corporation : Official Announcement from NTT Data Corporation (in Japanese)
CWE (What is CWE?)
No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)
CVE-2020-5523
References
JVN : JVN#28845872 National Vulnerability Database (NVD) : CVE-2020-5523
Revision History
[2020/01/28] Web page was published


Date Public	2020/01/28
Date First Published	2020/01/28
Date Last Updated	2020/01/28

Android App "MyPallete" vulnerable to improper server certificate verification