Japan Vulnerability NotesJVN:01119243JVN#01119243: API server used by JR East Japan train operation information push notification App for Android fails to restrict access permissions
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.006 Low
EPSS
Percentile
77.8%
JR East Japan train operation information push notification App for Android provided by East Japan Railway Company fails to restrict access permissions (CWE-284).
The application is no longer available/supported, and its service was ended in 2019 march 23.
Impact
A remote attacker may obtain or alter registration information of a user.
Solution
Do not use JR East Japan train operation information push notification App for Android
The application is no longer available/supported, and its service was ended in 2019 march 23. It is recommended to stop using and uninstall it.
The developer recommends that users should use JR East Japan App and/or JR East Japan Chat Bot for LINE, or check the information available through the developer’s website.
Products Affected
- JR East Japan train operation information push notification App for Android version 1.2.4 and earlier
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.006 Low
EPSS
Percentile
77.8%