CVE-2021-25525

Improper check or handling of exception conditions vulnerability in Samsung Pay (US only) prior to version 4.0.65 allows attacker to use NFC without user recognition.

CVSS v3 2.0 LOW
CVSS v2.0 3.3 LOW

2.0^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.4 / Impact : 1.4

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

3.3^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 6.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12	Vendor Advisory
https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:samsung:pay:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:55

Type	Values Removed	Values Added
CVSS	v2 : ~~3.3~~ v3 : ~~6.5~~	v2 : 3.3 v3 : 2.0
References	~~() https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12 - Vendor Advisory~~	() https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12 - Vendor Advisory

Information

Published : 2021-12-08 15:15

Updated : 2024-11-21 05:55

NVD link : CVE-2021-25525

Mitre link : CVE-2021-25525

CVE.ORG link : CVE-2021-25525

JSON object : View

Products Affected

samsung

pay

CWE

CWE-703

Improper Check or Handling of Exceptional Conditions

CWE-754

Improper Check for Unusual or Exceptional Conditions

{"id": "CVE-2021-25525", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "mobile.security@samsung.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.0, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 0.4}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2021-12-08T15:15:08.827", "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12", "tags": ["Vendor Advisory"], "source": "mobile.security@samsung.com"}, {"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "mobile.security@samsung.com", "description": [{"lang": "en", "value": "CWE-703"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "Improper check or handling of exception conditions vulnerability in Samsung Pay (US only) prior to version 4.0.65 allows attacker to use NFC without user recognition."}, {"lang": "es", "value": "Una vulnerabilidad de comprobaci\u00f3n o administraci\u00f3n inapropiada de las condiciones de excepci\u00f3n en Samsung Pay (US only) versiones anteriores a 4.0.65, permite al atacante usar NFC sin el reconocimiento del usuario"}], "lastModified": "2024-11-21T05:55:10.463", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:samsung:pay:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEF979F8-567C-49FD-9BDF-1C6714EC6619", "versionEndExcluding": "4.0.65"}], "operator": "OR"}]}], "sourceIdentifier": "mobile.security@samsung.com"}