Lucene search

Japan Vulnerability NotesJVN:83405304

HistoryMay 10, 2024 - 12:00 a.m.

JVN#83405304: "OfferBox" App uses a hard-coded secret key

2024-05-1000:00:00

Japan Vulnerability Notes

jvn.jp

offerbox

i-plug inc

hard-coded

secret key

jwt

cwe-321

vulnerability

revoked

developer

updates

android

ios

products affected

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

“OfferBox” App provided by i-plug inc. uses a hard-coded secret key for JWT (CWE-321).

Impact

The hard-coded secret key for JWT may be retrieved if the application binary is reverse-engineered.

Solution

The hard-coded secret key has been revoked by the developer on May 8, 2024 therefore this vulnerability is not exploitable.
The developer has released the following updates which do not contain hard-coded secret keys:

“OfferBox” App for Android 3.0.0
“OfferBox” App for iOS 3.0.0

Products Affected

“OfferBox” App for Android 2.0.0 to 2.3.17
“OfferBox” App for iOS 2.1.7 to 2.6.14

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for JVN:83405304