CVE-2020-35398

{"id": "CVE-2020-35398", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2021-12-23T22:15:07.333", "references": [{"url": "https://cvewalkthrough.com/cve-2020-35398-uti-mutual-fund-android-application-username-enumeration/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://play.google.com/store/apps/details?id=com.utimutualfunds.utimutualfund&hl=en_IN&gl=US", "tags": ["Product", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in UTI Mutual fund Android application 5.4.18 and prior, allows attackers to brute force enumeration of usernames determined by the error message returned after invalid credentials are attempted."}, {"lang": "es", "value": "Se ha detectado un problema en la aplicaci\u00f3n Android de UTI Mutual fund versiones 5.4.18 y anteriores, que permite a atacantes enumerar por fuerza bruta los nombres de usuario determinados por el mensaje de error devuelto despu\u00e9s de intentar conseguir credenciales no v\u00e1lidas"}], "lastModified": "2021-12-29T19:03:58.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:utimf:uti_mutual_fund_invest_online:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "7E3A8820-9709-4784-96A0-1DBEC3A95DFF", "versionEndIncluding": "5.4.28"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}