A vulnerability was found in Game-insight My Railway 1.1.33. It has been rated as critical. This issue affects an unknown functionality of the component X.509 Certificate Handler. The manipulation with an unknown input leads to a cryptographic issues vulnerability. Using CWE to declare the problem leads to CWE-310. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The My Railway (aka com.gameinsight.myrailway) application 1.1.33 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

The weakness was published 09/09/2014 as confirmed advisory (CERT.org). It is possible to read the advisory at kb.cert.org. The identification of this vulnerability is CVE-2014-5837 since 08/30/2014. The attack can only be done within the local network. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1600 according to MITRE ATT&CK.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Similar entries are available at VDB-71433, VDB-71432, VDB-71431 and VDB-71430. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• Game-insight

Name

• My Railway

Version

• 1.1.33

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion