Published:2019/05/24  Last Updated:2019/05/24

JVN#57806517
Android App "Tootdon for Mastodon" fails to verify SSL server certificates

Overview

Android App "Tootdon for Mastodon" fails to verify SSL server certificates.

Products Affected

  • Android App "Tootdon for Mastodon" version 3.4.1 and earlier

Description

Android App "Tootdon for Mastodon" provided by Tsukurito, Inc. fails to verify SSL server certificates (CWE-295).

Impact

A man-in-the-middle attack may allow an attacker to obtain and/or alter a content of communication.

Solution

Update the Application
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Tsukurito, Inc. Vulnerable 2019/05/24 Tsukurito, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score: 4.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N
Base Score: 4.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

This analysis assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.

Credit

Gomasy reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-5961
JVN iPedia JVNDB-2019-000029