CVE-2014-3908 : The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509

The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published 2014-08-30 09:55:05

Updated 2014-09-02 18:04:50

Source JPCERT/CC

View at NVD, CVE.org

Products affected by CVE-2014-3908

Amazon » Kindle » For Android
Versions up to, including, (<=) 4.4.4
cpe:2.3:a:amazon:kindle:*:*:*:*:*:android:*:*
Matching versions
Amazon » Kindle » Version: 4.4.0 For Android
cpe:2.3:a:amazon:kindle:4.4.0:*:*:*:*:android:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-3908

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 24 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-3908

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2014-3908

CWE-310

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-3908

http://jvndb.jvn.jp/jvndb/JVNDB-2014-000102

JVNDB-2014-000102 - JVN iPedia - 脆弱性対策情報データベース
http://jvn.jp/en/jp/JVN17637243/index.html

JVN#17637243: Kindle App for Android fails to verify SSL server certificates

Jump to

Vulnerability Details : CVE-2014-3908

Products affected by CVE-2014-3908

Exploit prediction scoring system (EPSS) score for CVE-2014-3908

CVSS scores for CVE-2014-3908

CWE ids for CVE-2014-3908

References for CVE-2014-3908