Lucene search

[email protected]NVD:CVE-2020-36284

HistoryApr 06, 2021 - 4:15 p.m.

CVE-2020-36284

2021-04-0616:15:15

CWE-347

[email protected]

web.nvd.nist.gov

union pay android cwe-347 free shopping null key

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

36.7%

JSON

Union Pay up to 3.4.93.4.9, for android, contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants’ websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.

Affected configurations

Nvd

Node

unionpayintlunion_payRange≤3.4.93.4.9android

VendorProductVersionCPE
unionpayintlunion_pay*cpe:2.3:a:unionpayintl:union_pay:*:*:*:*:*:android:*:*

Vendor	Product	Version	CPE
unionpayintl	union_pay	*	cpe:2.3:a:unionpayintl:union_pay::::::android::*

References

mobitec.ie.cuhk.edu.hk/cve_2020/

www.dropbox.com/s/6smwnbrp0kgsgrc/poc_code.py?dl=0

www.dropbox.com/s/czbkdr73tclq2nr/UnionPay_Vulnerability_Report.txt?dl=0

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

36.7%

JSON

Related for NVD:CVE-2020-36284

cvelist1 prion1 cve1