[Japanese]

JVNDB-2021-000084

InBody App vulnerable to information disclosure

Overview

InBody App provided by InBody Japan Inc. works with the household body composition analyzer InBody Dial manufactured and sold by InBody Japan Inc., and as a part of its functions, it manages and stores data such as weight, BMI, skeletal muscle mass, and fat mass measured by InBody Dial.
InBody App contains a vulnerability which may lead to information disclosure (CWE-200) only when it works with InBody Dial. As a result, it may receive a measurement result from InBody Dial under specific conditions.

Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.5 (Low) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.9 (Low) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


InBody Japan
  • InBody App for iOS versions prior to 2.3.30
  • InBody App for Android versions prior to 2.2.90(510)

Impact

Under specific conditions, an attacker who can connect to the InBody Dial with InBody App may obtain a victim's measurement result measured by InBody Dial.
Solution

[Update InBody App]
Update InBody App to the latest version according to the information provided by the developer.
Vendor Information

InBody Japan
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20832
References

  1. JVN : JVN#63023305
  2. National Vulnerability Database (NVD) : CVE-2021-20832
Revision History

  • [2021/09/28]
      Web page was published