JVN#15808274: e-Gov Client Application fails to restrict custom URL schemes properly

Overview

e-Gov Client Application fails to restrict custom URL schemes properly.

Products Affected

e-Gov Client Application (Windows version) versions prior to 2.1.1.0
e-Gov Client Application (macOS version) versions prior to 1.1.1.0

Description

e-Gov Client Application is installed, a Custom URL Scheme is configured on the system to enable invoking the product through a web browser.
This custom URL contains the information about the website which the product should access, and a crafted URL may direct the application to access an unexpected website (CWE-939).

Impact

A crafted URL may direct the product to access an arbitrary website. As a result, the user may become a victim of a phishing attack.

Solution

Update the Product
Update the product to the latest version according to the information provided by the developer.
The developer released the following versions to fix the issue.

e-Gov Client Application (Windows version) 2.1.1.0
e-Gov Client Application (macOS version) 1.1.1.0

Vendor Status

Vendor	Link
Digital Agency	Notice of e-Gov Client Application Update (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Score: 4.3

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N