Published:2020/07/08  Last Updated:2020/07/09

JVN#93167107
Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of Java object

Overview

Android App "Mercari" (Japan version) contains a vulnerability allowing arbitrary method execution of a Java object.

Products Affected

  • Android App "Mercari" (Japan version) prior to version 3.52.0
According to the developer, affected versions are no longer used at this point because the update was applied automatically when the application was launched in the past.

Description

Android App "Mercari" (Japan version) provided by Mercari, Inc. contains vulnerability which may allow arbitrary Java method execution (CWE-749) due to inadequate restrictions on addJavascriptInterface of WebView class.

Impact

An arbitrary method of a Java object may be executed by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.

Solution

Update the Application
This vulnerability is addressed by updating the application to the latest version.
According to the developer, there is no need for users to take any actions since the application is automatically updated when it is launched, and the affected API level is no longer in use in the current versions of the application.

Vendor Status

Vendor Status Last Update Vendor Notes
Mercari, Inc. Vulnerable 2020/07/08

References

JPCERT/CC Addendum

This JVN publication was delayed to 2020/07/08 after the developer fix was developed. From the fiscal year 2011, JPCERT/CC is using a new vendor coordination procedure. This new procedure came from the recommendation of the fiscal year 2010 "Study Group on Information System Vulnerability Handling" aimed at more timely JVN publications.

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Base Score: 5.0
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:P
Base Score: 5.1
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Taichi Kotake of Akatsuki Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5604
JVN iPedia JVNDB-2020-000043

Update History

2020/07/08
Modified some descriptions in this advisory
2020/07/09
Fixed some typos in this advisory