[Japanese]

JVNDB-2021-000064

GU App for Android fails to restrict access permissions

Overview

GU App for Android provided by G.U. CO., LTD. contains an access restriction bypass issue (CWE-939). The App launched by a Custom URL Scheme may lead an user to access an arbitrary URL.

Nao Komatsu of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


GU.CO.,LTD.
  • GU for Android versions 4.8.0 to 5.0.2

Impact

A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
Solution

[Update the Application]
Update the application to the latest version according to the information provided by the developer.
The vulnerability is fixed in version 5.0.3.
Vendor Information

GU.CO.,LTD.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20777
References

  1. JVN : JVN#25850723
  2. National Vulnerability Database (NVD) : CVE-2021-20777
Revision History

  • [2021/07/07]
      Web page was published

Date Public2021/07/07
Date First Published2021/07/07
Date Last Updated2021/07/07