Published:2024/04/19  Last Updated:2024/04/19

JVNVU#91696361
LINE client for iOS vulnerable to improper server certificate verification

Overview

The financial module within LINE client for iOS lacks server certificate verification in log transmission.

Products Affected

  • LINE Client for iOS, versions 13.12.0 or newer, and prior to 13.16.0

Description

The financial module within LINE client for iOS lacks server certificate verification in log transmission (CWE-295, CVE-2023-5554).

Impact

The communication may be eavesdropped under a man-in-the-middle attack.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
LY Corporation CVE-2023-5554

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score: 4.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Comment

This analysis assumes that a man-in-the-middle attack is conducted by, for example, directing the victim to connect to a malicious wireless access point.

Credit

LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia