Mirmay Secure Private Browser / File Manager até 2.5 em iPad Auto Lock Fraca autenticação

Uma vulnerabilidade, que foi classificada como problemático, foi encontrada em Mirmay Secure Private Browser and File Manager até 2.5. Afectado é uma função desconhecida do componente Auto Lock. A manipulação com uma entrada desconhecida leva a Fraca autenticação. Usar a CWE para declarar o problema leva à CWE-287. O bug foi descoberto em 31/08/2017. O aconselhamento é partilhado para download em scip.ch. O lançamento público foi coordenado com o fornecedor. A vulnerabilidade é identificada como CVE-2018-25030. O ataque deve ser iniciado localmente. Não há detalhes técnicos disponíveis. Além disso, há uma exploração disponível. A exploração foi divulgada ao público e pode ser utilizada. É declarado como funcional. A exploração é partilhada para download em youtu.be. Como 0 dia, o preço estimado do subsolo foi de cerca de $0-$5k. Recomenda-se a substituição do componente afectado por uma alternativa.

Campo28/03/2022 22h3727/12/2022 14h3327/12/2022 14h34
vendorMirmayMirmayMirmay
nameSecure Private Browser / File ManagerSecure Private Browser / File ManagerSecure Private Browser / File Manager
version<=2.5<=2.5<=2.5
platformiPadiPadiPad
componentAuto LockAuto LockAuto Lock
discoverydate150413760015041376001504137600
vendorinformdate150413760015041376001504137600
risk111
historic000
cvss2_vuldb_basescore1.71.71.7
cvss2_vuldb_tempscore1.61.61.6
cvss2_vuldb_avLLL
cvss2_vuldb_acLLL
cvss2_vuldb_auSSS
cvss2_vuldb_ciPPP
cvss2_vuldb_iiNNN
cvss2_vuldb_aiNNN
cvss3_meta_basescore3.33.33.0
cvss3_meta_tempscore3.33.33.0
cvss3_vuldb_basescore3.33.33.3
cvss3_vuldb_tempscore3.33.33.3
developer_mailmaru@****.**maru@****.**maru@****.**
cvss3_vuldb_avLLL
cvss3_vuldb_acLLL
cvss3_vuldb_prLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iNNN
cvss3_vuldb_aNNN
advisoryquoteHowever, there is an indication that the app doesn’t correctly follow the sequence of actions at this specific point. When the video minimizes and the app opens again, LocalAuthentication should be used to close the video or display an overlay before the initial authentication. Only then should the modal dialog box for authentication be displayed.However, there is an indication that the app doesn’t correctly follow the sequence of actions at this specific point. When the video minimizes and the app opens again, LocalAuthentication should be used to close the video or display an overlay before the initial authentication. Only then should the modal dialog box for authentication be displayed.However, there is an indication that the app doesn’t correctly follow the sequence of actions at this specific point. When the video minimizes and the app opens again, LocalAuthentication should be used to close the video or display an overlay before the initial authentication. Only then should the modal dialog box for authentication be displayed.
date1517443200 (01/02/2018)1517443200 (01/02/2018)1517443200 (01/02/2018)
locationYoutubeYoutubeYoutube
typeVideoVideoVideo
urlhttps://www.scip.ch/en/?labs.20180201https://www.scip.ch/en/?labs.20180201https://www.scip.ch/en/?labs.20180201
identifierLabs 20180201Labs 20180201Labs 20180201
coordination111
person_nameMarc RuefMarc RuefMarc Ruef
person_mailmaru@****.**maru@****.**maru@****.**
person_websitehttp://www.computec.ch/mruef/http://www.computec.ch/mruef/http://www.computec.ch/mruef/
company_namescip AGscip AGscip AG
disputed000
availability111
date1517443200 (01/02/2018)1517443200 (01/02/2018)1517443200 (01/02/2018)
publicity111
urlhttps://youtu.be/cd6nbos-BI0https://youtu.be/cd6nbos-BI0https://youtu.be/cd6nbos-BI0
developer_nameMarc RuefMarc RuefMarc Ruef
developer_websitehttp://www.computec.ch/mruef/http://www.computec.ch/mruef/http://www.computec.ch/mruef/
languageVideoVideoVideo
price_0day$0-$5k$0-$5k$0-$5k
advisoryquoteA few criteria must be met for this vulnerability to occur and be exploited. Basically, a certain degree of incorrect use is required. Still, it is possible to inadvertently create this situation and thus nullify the core security function of the app.A few criteria must be met for this vulnerability to occur and be exploited. Basically, a certain degree of incorrect use is required. Still, it is possible to inadvertently create this situation and thus nullify the core security function of the app.A few criteria must be met for this vulnerability to occur and be exploited. Basically, a certain degree of incorrect use is required. Still, it is possible to inadvertently create this situation and thus nullify the core security function of the app.
videolinkhttps://youtu.be/cd6nbos-BI0https://youtu.be/cd6nbos-BI0https://youtu.be/cd6nbos-BI0
cvss2_vuldb_eFFF
cvss2_vuldb_rlUUU
cvss2_vuldb_rcCCC
cvss3_vuldb_eFFF
cvss3_vuldb_rlUUU
cvss3_vuldb_rcCCC
0day_days111
falsepositive000
cwe287 (Fraca autenticação)287 (Fraca autenticação)287 (Fraca autenticação)
cveCVE-2018-25030CVE-2018-25030CVE-2018-25030
cve_cnaVulDBVulDBVulDB
responsibleVulDBVulDBVulDB
nameAlternativaAlternativaAlternativa
cve_assigned1643324400 (28/01/2022)1643324400 (28/01/2022)
cve_nvd_summaryA vulnerability classified as problematic has been found in Mirmay Secure Private Browser and File Manager up to 2.5. Affected is the Auto Lock. A race condition leads to a local authentication bypass. The exploit has been disclosed to the public and may be used.A vulnerability classified as problematic has been found in Mirmay Secure Private Browser and File Manager up to 2.5. Affected is the Auto Lock. A race condition leads to a local authentication bypass. The exploit has been disclosed to the public and may be used.
cvss3_nvd_avL
cvss3_nvd_acH
cvss3_nvd_prL
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cL
cvss3_nvd_iN
cvss3_nvd_aN
cvss2_nvd_avL
cvss2_nvd_acM
cvss2_nvd_auN
cvss2_nvd_ciP
cvss2_nvd_iiN
cvss2_nvd_aiN
cvss3_cna_avL
cvss3_cna_acL
cvss3_cna_prL
cvss3_cna_uiN
cvss3_cna_sU
cvss3_cna_cL
cvss3_cna_iN
cvss3_cna_aN
cvss2_nvd_basescore1.9
cvss3_nvd_basescore2.5
cvss3_cna_basescore3.3

VoltarVisão GeralPróximo

Do you need the next level of professionalism?

Upgrade your account now!