Japan Vulnerability NotesJVN:96154238JVN#96154238: Android App "Spoon" uses a hard-coded API key for an external service
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
5.1%
Android App “Spoon” provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service (CWE-798).
Impact
The hard-coded API key may be retrieved when the application binary is reverse-engineered.
This API key may be used for unexpected access of the associated service.
Note that the application users are not directly affected by this vulnerability.
Solution
Update the Application
Update the application to the latest version according to the information provided by the developer.
This vulnerability has been fixed in Android Spoon application version 8.6.1 or later.
Products Affected
- Android Spoon application version 7.11.1 to 8.6.0
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
5.1%