[Japanese]

JVNDB-2024-000069

Cleartext transmission issue in TONE store App to TONE store

Overview

TONE store App provided by DREAM TRAIN INTERNET INC. contains a cleartext transmission issue to TONE store website (CWE-419).

Kodai Karakawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.7 (Low) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


DREAM TRAIN INTERNET INC.
  • TONE Store Application version 3.4.2 and earlier

TONE store App is pre-installed on TONE smartphone.
Impact

A man-in-the-middle attack may allow an attacker to obtain and/or alter communications of the affected App.
Solution

[Update the application]
Update the application to the latest version according to the information provided by the developer.
The application will be updated automatically when the internet connection settings are enabled.
Vendor Information

DREAM TRAIN INTERNET INC.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-39886
References

  1. JVN : JVN#28515217
Revision History

  • [2024/07/08]
      Web page was published

Date Public2024/07/08
Date First Published2024/07/08
Date Last Updated2024/07/08