JVN#28515217
Cleartext transmission issue in TONE store App to TONE store
Overview
TONE store App contains a cleartext transmission issue to TONE store website.
Products Affected
- TONE store App version 3.4.2 and earlier
Description
TONE store App provided by DREAM TRAIN INTERNET INC. contains a cleartext transmission issue to TONE store website (CWE-419).
Impact
A man-in-the-middle attack may allow an attacker to obtain and/or alter communications of the affected App.
Solution
Update the application
Update the application to the latest version according to the information provided by the developer.
The application will be updated automatically when the internet connection settings are enabled.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| DREAM TRAIN INTERNET INC. | Vulnerable | 2024/07/08 | DREAM TRAIN INTERNET INC. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
This analysis assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.
Credit
Kodai Karakawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-39886 |
| JVN iPedia |
JVNDB-2024-000069 |