Vulnerability Details : CVE-2017-3182
On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack. ThreatMetrix is a security library for mobile applications, which aims to provide fraud prevention and device identity capabilities. The ThreatMetrix SDK versions prior to 3.2 do not validate SSL certificates on the iOS platform. An affected application will communicate with https://h-sdk.online-metrix.net, regardless of whether the connection is secure or not. An attacker on the same network as or upstream from the iOS device may be able to view or modify ThreatMetrix network traffic that should have been protected by HTTPS.
Products affected by CVE-2017-3182
- cpe:2.3:a:threatmetrix:threatmetrix_sdk:*:*:*:*:*:iphone_os:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-3182
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 21 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-3182
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:A/AC:M/Au:N/C:P/I:P/A:N |
5.5
|
4.9
|
NIST | |
6.8
|
MEDIUM | CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
1.6
|
5.2
|
NIST |
CWE ids for CVE-2017-3182
-
The product does not validate, or incorrectly validates, a certificate.Assigned by:
- cret@cert.org (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2017-3182
-
https://www.kb.cert.org/vuls/id/767208
VU#767208 - ThreatMetrix SDK for iOS fails to validate SSL certificatesThird Party Advisory;US Government Resource
-
https://www.securityfocus.com/bid/95360
ThreatMetrix SDK for iOS CVE-2017-3182 SSL Certificate Validation Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to