CVE-2022-38117

Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users’ ciphertext and tamper with it.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.3 / Impact : 5.2

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html	Third Party Advisory VDB Entry
https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:juiker:juiker:4.6.0311.1:*:*:*:*:android:*:*

History

21 Nov 2024, 07:15

Type	Values Removed	Values Added
References	~~() https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html - Third Party Advisory, VDB Entry~~	() https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html - Third Party Advisory, VDB Entry
CVSS	v2 : ~~unknown~~ v3 : ~~6.1~~	v2 : unknown v3 : 5.5

Information

Published : 2022-10-24 14:15

Updated : 2024-11-21 07:15

NVD link : CVE-2022-38117

Mitre link : CVE-2022-38117

CVE.ORG link : CVE-2022-38117

JSON object : View

Products Affected

juiker

juiker

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2022-38117", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.9}]}, "published": "2022-10-24T14:15:50.863", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users\u2019 ciphertext and tamper with it."}, {"lang": "es", "value": "La aplicaci\u00f3n Juiker embebe su clave AES en el c\u00f3digo fuente. Un atacante f\u00edsico, despu\u00e9s de conseguir el privilegio de root de Android, puede usar la clave AES para descifrar el texto cifrado de usuarios y manipularlo"}], "lastModified": "2024-11-21T07:15:49.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:juiker:juiker:4.6.0311.1:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "70D4534E-BD1E-4391-8304-6501024FE375"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}