Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of the Java object


Android App "Mercari" (Japan version) provided by Mercari, Inc. contains vulnerability that an arbitrary Java method execution (CWE-749) due to inadequate restrictions on addJavascriptInterface of WebView class.

Taichi Kotake of Akatsuki Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Mercari Co., Ltd.
  • Mercari (Japan version) prior to version 3.52.0

According to the developer, these versions cannot be used due to forced update when the app starts.

A remote attacker who can Man-In-The-Middle attack may use Java Reflection API of JavaScript code for on the WebView and execute an arbitrary method of Java object.

[Update the Application]
This Vulnerability to be fixed for update to the latest version provided by the developer.
According to the developer, the user does not have to take any voluntary action. Affected by the Vulnerability API level is not employed. And the product has forced to be updated in the past, users cannot use these versions of the app.
Vendor Information

Mercari Co., Ltd.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5604

  1. JVN : JVN#93167107
  2. National Vulnerability Database (NVD) : CVE-2020-5604
Revision History

  • [2020/07/08]
      Web page was published