Published:2025/09/02 Last Updated:2025/09/02
JVN#47404248
"Gunosy" App vulnerable to insertion of sensitive information into sent data (CWE-201)
Overview
"Gunosy" App provided by Gunosy Inc. contains a vulnerability where sensitive information may be included in the application's outbound communication.
Products Affected
- "Gunosy" App for Android versions prior to 7.34.0
- "Gunosy" App for iOS versions prior to 7.34.0
Description
"Gunosy" App provided by Gunosy Inc. contains the following vulnerability.
- Insertion of sensitive information into sent data (CWE-201)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Base Score 4.3
- CVE-2025-44017
Impact
If a user accesses a crafted URL, an attacker may obtain the JWT (JSON Web Token).
Solution
Update the application
Update the application to the latest version according to the information provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
YUNAO ZHOU reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-44017 |
| JVN iPedia |
JVNDB-2025-000070 |