Lucene search

K
jvnJapan Vulnerability NotesJVN:96154238
HistoryJan 23, 2024 - 12:00 a.m.

JVN#96154238: Android App "Spoon" uses a hard-coded API key for an external service

2024-01-2300:00:00
Japan Vulnerability Notes
jvn.jp
9
android app
spoon
hard-coded api key
cwe-798
reverse-engineering
security vulnerability
application update
service access
version 8.6.1

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

Android App “Spoon” provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service (CWE-798).

Impact

The hard-coded API key may be retrieved when the application binary is reverse-engineered.
This API key may be used for unexpected access of the associated service.

Note that the application users are not directly affected by this vulnerability.

Solution

Update the Application
Update the application to the latest version according to the information provided by the developer.
This vulnerability has been fixed in Android Spoon application version 8.6.1 or later.

Products Affected

  • Android Spoon application version 7.11.1 to 8.6.0

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

Related for JVN:96154238