CVE-2014-1976 : The Demaecan application 2.1.0 and earlier for Android does not verify X.509 cer

The Demaecan application 2.1.0 and earlier for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published 2014-03-18 05:18:19

Updated 2014-03-18 16:05:27

Source JPCERT/CC

View at NVD, CVE.org

Products affected by CVE-2014-1976

Yumenomachi » Demaecan » For Android
Versions up to, including, (<=) 2.1.0
cpe:2.3:a:yumenomachi:demaecan:*:*:*:*:*:android:*:*
Matching versions
Yumenomachi » Demaecan » Version: 2.0.0 For Android
cpe:2.3:a:yumenomachi:demaecan:2.0.0:*:*:*:*:android:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-1976

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 30 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-1976

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2014-1976

CWE-310

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-1976

https://play.google.com/store/apps/details?id=com.demaecan.androidapp

出前館 - Apps on Google Play
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000030

JVNDB-2014-000030 - JVN iPedia - 脆弱性対策情報データベース
http://jvn.jp/en/jp/JVN16263849/index.html

JVN#16263849: Demaecan for Android. contains an issue where it fails to verify SSL server certificates

Jump to

Vulnerability Details : CVE-2014-1976

Products affected by CVE-2014-1976

Exploit prediction scoring system (EPSS) score for CVE-2014-1976

CVSS scores for CVE-2014-1976

CWE ids for CVE-2014-1976

References for CVE-2014-1976