CVE-2021-21385

{"id": "CVE-2021-21385", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}]}, "published": "2021-03-24T21:15:15.070", "references": [{"url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://openmf.github.io/mobileapps.github.io/", "tags": ["Product", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://openmf.github.io/mobileapps.github.io/", "tags": ["Product", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-297"}]}], "descriptions": [{"lang": "en", "value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."}, {"lang": "es", "value": "La aplicaci\u00f3n de Android Mifos-Mobile para MifosX es una aplicaci\u00f3n de Android construida sobre la plataforma de autoservicio MifosX. Mifos-Mobile versiones anteriores al commit e505f62 deshabilita la comprobaci\u00f3n del nombre de host HTTPS de su cliente HTTP. Adem\u00e1s, acept\u00f3 como v\u00e1lido cualquier certificado autofirmado. La comprobaci\u00f3n del nombre de host es una parte importante cuando es usado HTTPS para garantizar que el certificado presentado sea v\u00e1lido para el host. Deshabilitarlo puede permitir ataques de tipo man-in-the-middle. Aceptar cualquier certificado, inclusive los autofirmados, permite ataques de tipo man-in-the-middle. Este problema es corregido en mifos-mobile commit e505f62"}], "lastModified": "2024-11-21T05:48:14.983", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mifos:mifos-mobile:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "06D0F700-A34C-4383-97E7-0C7FE2707CDD", "versionEndExcluding": "2021-03-14"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}