Published:2023/08/24  Last Updated:2024/12/03

JVN#03447226
"Skylark" App fails to restrict custom URL schemes properly

Overview

"Skylark" App fails to restrict custom URL schemes properly.

Products Affected

  • "Skylark" App for Android versions 6.2.13 and earlier
  • "Skylark" App for iOS versions 6.2.13 and earlier

Description

"Skylark" App provided by SKYLARK HOLDINGS CO., LTD. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly (CWE-939, CVE-2023-40530, CVE-2024-54014) which may be exploited to direct the App to access any sites.

Impact

An arbitrary site may be displayed on the WebView of the product by using another application installed on the user's device. As a result, the user may be redirected to a malicious site.

Solution

Update the application
Update the application to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
SKYLARK HOLDINGS CO., LTD. Vulnerable 2024/11/20

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Base Score: 3.6
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

The messaging mechanism within the device is used, hence Attack Vector is evaluated as Local (AV:L) in CVSSv3.

Credit

CVE-2023-40530
Shunsuke Kaneko of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2024-54014
Ryo Sato reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-40530
CVE-2024-54014
JVN iPedia JVNDB-2023-000085

Update History

2023/11/01
SKYLARK HOLDINGS CO., LTD. update status
2024/12/03
CVE-2024-54014 was added. SKYLARK HOLDINGS CO., LTD. update status