CVE-2021-21385 - OpenCVE

Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mifos	Mifos-mobile

Configuration 1 [-]

cpe:2.3:a:mifos:mifos-mobile:*:*:*:*:*:android:*:*

References

Link	Resource
https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d	Patch Third Party Advisory
https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx	Patch Third Party Advisory
https://openmf.github.io/mobileapps.github.io/	Product Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-03-24T20:45:17

Updated: 2021-03-24T20:45:17

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21385

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-24T21:15:15.070

Modified: 2021-03-30T18:30:54.153

Link: CVE-2021-21385

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "mifos-mobile", "vendor": "openMF", "versions": [{"status": "affected", "version": "<= 7ed4f22"}]}], "descriptions": [{"lang": "en", "value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-297", "description": "CWE-297: Improper Validation of Certificate with Host Mismatch", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-24T20:45:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"}, {"tags": ["x_refsource_MISC"], "url": "https://openmf.github.io/mobileapps.github.io/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"}], "source": {"advisory": "GHSA-9657-33wf-rmvx", "discovery": "UNKNOWN"}, "title": "Disabled hostname verification and accepting self-signed certificates", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21385", "STATE": "PUBLIC", "TITLE": "Disabled hostname verification and accepting self-signed certificates"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mifos-mobile", "version": {"version_data": [{"version_value": "<= 7ed4f22"}]}}]}, "vendor_name": "openMF"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295: Improper Certificate Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-297: Improper Validation of Certificate with Host Mismatch"}]}]}, "references": {"reference_data": [{"name": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx", "refsource": "CONFIRM", "url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"}, {"name": "https://openmf.github.io/mobileapps.github.io/", "refsource": "MISC", "url": "https://openmf.github.io/mobileapps.github.io/"}, {"name": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d", "refsource": "MISC", "url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"}]}, "source": {"advisory": "GHSA-9657-33wf-rmvx", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21385", "datePublished": "2021-03-24T20:45:17", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2021-03-24T20:45:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mifos:mifos-mobile:*:*:*:*:*:android:*:*", "matchCriteriaId": "06D0F700-A34C-4383-97E7-0C7FE2707CDD", "versionEndExcluding": "2021-03-14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."}, {"lang": "es", "value": "La aplicaci\u00f3n de Android Mifos-Mobile para MifosX es una aplicaci\u00f3n de Android construida sobre la plataforma de autoservicio MifosX. Mifos-Mobile versiones anteriores al commit e505f62 deshabilita la comprobaci\u00f3n del nombre de host HTTPS de su cliente HTTP. Adem\u00e1s, acept\u00f3 como v\u00e1lido cualquier certificado autofirmado. La comprobaci\u00f3n del nombre de host es una parte importante cuando es usado HTTPS para garantizar que el certificado presentado sea v\u00e1lido para el host. Deshabilitarlo puede permitir ataques de tipo man-in-the-middle. Aceptar cualquier certificado, inclusive los autofirmados, permite ataques de tipo man-in-the-middle. Este problema es corregido en mifos-mobile commit e505f62"}], "id": "CVE-2021-21385", "lastModified": "2021-03-30T18:30:54.153", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-03-24T21:15:15.070", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://openmf.github.io/mobileapps.github.io/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-297"}], "source": "security-advisories@github.com", "type": "Primary"}]}