[Japanese]

JVNDB-2022-000003

Jimoty App for Android uses a hard-coded API key for an external service

Overview

Jimoty App for Android provided by Jimoty, Inc. uses a hard-coded API key for an external service (CWE-798).

Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.1 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Jimoty, Inc.
  • Jimoty for Android versions prior to 3.7.42

Impact

API key for an external service may be obtained by analyzing data in the app.
Note that a user is not directly affected by this vulnerability.
Solution

[Update the Application]
Update the application to the latest version according to the information provided by the developer.

According to the developer, the latest app does not hard-code the API key.
The vulnerable API key has been deactivated, therefore information contained in the vulnerable app can not be abused.
Vendor Information

Jimoty, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-0131
References

  1. JVN : JVN#49047921
  2. National Vulnerability Database (NVD) : CVE-2022-0131
Revision History

  • [2022/01/12]
      Web page was published

Date Public2022/01/12
Date First Published2022/01/12
Date Last Updated2022/01/12