[Japanese]
|
JVNDB-2024-000060
|
Multiple vulnerabilities in "FreeFrom - the nostr client" App
|
"FreeFrom - the nostr client" App provided by FreeFrom K.K. contains multiple vulnerabilities listed below.
- Improper verification of cryptographic signature (CWE-347) - CVE-2024-36277
- Reliance on obfuscation or encryption of security-relevant inputs without integrity checking (CWE-649) - CVE-2024-36279
- Reusing a nonce, key pair in encryption (CWE-323) - CVE-2024-36289
The people listed below reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hayato Kimura of University of Hyogo
Ryoma Ito of National Institute of Information and Communications Technology (NICT)
Kazuhiko Minematsu of NEC Corporation/Yokohama National University
Takanori Isobe of University of Hyogo
|
CVSS V3 Severity: Base Metrics 5.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-36277
|
CVSS V3 Severity:
Base Metrics
5.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-36279
|
CVSS V3 Severity:
Base Metrics
5.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-36289
|
|
FreeFrom K.K.
- "FreeFrom - the nostr client" App for Android versions prior to 1.3.5
- "FreeFrom - the nostr client" App for iOS versions prior to 1.3.5
|
|
- The affected app cannot detect event data with invalid signatures (CVE-2024-36277)
- The content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack (CVE-2024-36279, CVE-2024-36289)
|
[Update the application]
Update the application to the latest version according to the information provided by the developer.
|
FreeFrom K.K.
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2024-36277
- CVE-2024-36279
- CVE-2024-36289
|
- JVN : JVN#55045256
|
- [2024/06/07]
Web page was published
|