Lucene search

JpcertCVE-2022-43543

HistoryDec 21, 2022 - 9:15 a.m.

CVE-2022-43543

2022-12-2109:15:07

jpcert

web.nvd.nist.gov

cve-2022-43543

vulnerability

kddi

ntt docomo

softbank

+message app

android

ios

unicode control characters

phishing

nvd

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

39.5%

JSON

KDDI +Message App, NTT DOCOMO +Message App, and SoftBank +Message App contain a vulnerability caused by improper handling of Unicode control characters. +Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character’s specifications. Therefore, a crafted text may display misleading web links. As a result, a spoofed URL may be displayed and phishing attacks may be conducted. Affected products and versions are as follows: KDDI +Message App for Android prior to version 3.9.2 and +Message App for iOS prior to version 3.9.4, NTT DOCOMO +Message App for Android prior to version 54.49.0500 and +Message App for iOS prior to version 3.9.4, and SoftBank +Message App for Android prior to version 12.9.5 and +Message App for iOS prior to version 3.9.4

Affected configurations

Nvd

Vulners

Node

docomo\+_messageRange<3.9.4iphone_os

docomo\+_messageRange<54.49.0500android

kddi\+_messageRange<3.9.2android

kddi\+_messageRange<3.9.4iphone_os

softbank\+_messageRange<3.9.4iphone_os

softbank\+_messageRange<12.9.5android

VendorProductVersionCPE
docomo\+_message*cpe:2.3:a:docomo:\+_message:*:*:*:*:*:iphone_os:*:*
docomo\+_message*cpe:2.3:a:docomo:\+_message:*:*:*:*:*:android:*:*
kddi\+_message*cpe:2.3:a:kddi:\+_message:*:*:*:*:*:android:*:*
kddi\+_message*cpe:2.3:a:kddi:\+_message:*:*:*:*:*:iphone_os:*:*
softbank\+_message*cpe:2.3:a:softbank:\+_message:*:*:*:*:*:iphone_os:*:*
softbank\+_message*cpe:2.3:a:softbank:\+_message:*:*:*:*:*:android:*:*

Vendor	Product	Version	CPE
docomo	\+_message	*	cpe:2.3:a:docomo:\+_message::::::iphone_os::*
docomo	\+_message	*	cpe:2.3:a:docomo:\+_message::::::android::*
kddi	\+_message	*	cpe:2.3:a:kddi:\+_message::::::android::*
kddi	\+_message	*	cpe:2.3:a:kddi:\+_message::::::iphone_os::*
softbank	\+_message	*	cpe:2.3:a:softbank:\+_message::::::iphone_os::*
softbank	\+_message	*	cpe:2.3:a:softbank:\+_message::::::android::*

CNA Affected

[
  {
    "vendor": "KDDI CORPORATION, NTT DOCOMO, INC., and SoftBank Corp.",
    "product": "KDDI +Message App for Android and for iOS, NTT DOCOMO +Message App for Android and for iOS, and SoftBank +Message App for Android and for iOS",
    "versions": [
      {
        "version": "KDDI +Message App for Android prior to version 3.9.2 and +Message App for iOS prior to version 3.9.4, NTT DOCOMO +Message App for Android prior to version 54.49.0500 and +Message App for iOS prior to version 3.9.4, and SoftBank +Message App for Android prior to version 12.9.5 and +Message App for iOS prior to version 3.9.4",
        "status": "affected"
      }
    ]
  }
]

References

jvn.jp/en/jp/JVN43561812/index.html

www.au.com/mobile/service/plus-message/information/

www.docomo.ne.jp/service/plus_message/

www.softbank.jp/mobile/service/plus-message/

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

39.5%

JSON

Related for CVE-2022-43543