Japan Vulnerability NotesJVN:00414047JVN#00414047: Studyplus App uses a hard-coded API key for an external service
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
12.6%
Studyplus App provided by Studyplus Inc. uses a hard-coded API key for an external service (CWE-798).
Impact
API key for an external service may be obtained by analyzing data in the app.
Note that a user is not directly affected by this vulnerability.
Solution
Update the Application
Update the application to the latest version according to the information provided by the developer.
According to the developer, the API key was removed from the latest app.
The vulnerable API key has been inactivated already, therefore information contained in the vulnerable app is no longer obtained or compromised.
Products Affected
- Studyplus App for Android v6.3.7 and earlier
- Studyplus App for iOS v8.29.0 and earlier
Related
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
12.6%