All the vulnerabilites related to FreeFrom K.K. - "FreeFrom - the nostr client" App for Android
cve-2024-36279
Vulnerability from cvelistv5
Published
2024-06-17 07:34
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
Reliance on obfuscation or encryption of security-relevant inputs without integrity checking issue exists in "FreeFrom - the nostr client" App versions prior to 1.3.5 for Android and iOS. If this vulnerability is exploited, the content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:freefrom_kk:freefrom_the_nostr_client_app:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freefrom_the_nostr_client_app",
"vendor": "freefrom_kk",
"versions": [
{
"lessThan": "1.3.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T20:04:43.609276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-649",
"description": "CWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T16:28:53.015Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://freefrom.space/"
},
{
"tags": [
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.freefrom"
},
{
"tags": [
"x_transferred"
],
"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN55045256/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "\"FreeFrom - the nostr client\" App for Android",
"vendor": "FreeFrom K.K.",
"versions": [
{
"status": "affected",
"version": "prior to 1.3.5"
}
]
},
{
"product": "\"FreeFrom - the nostr client\" App for iOS",
"vendor": "FreeFrom K.K.",
"versions": [
{
"status": "affected",
"version": "prior to 1.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reliance on obfuscation or encryption of security-relevant inputs without integrity checking issue exists in \"FreeFrom - the nostr client\" App versions prior to 1.3.5 for Android and iOS. If this vulnerability is exploited, the content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reliance on obfuscation or encryption of security-relevant inputs without integrity checking",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T07:34:09.553Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://freefrom.space/"
},
{
"url": "https://play.google.com/store/apps/details?id=com.freefrom"
},
{
"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930"
},
{
"url": "https://jvn.jp/en/jp/JVN55045256/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-36279",
"datePublished": "2024-06-17T07:34:09.553Z",
"dateReserved": "2024-06-03T03:52:21.405Z",
"dateUpdated": "2024-08-02T03:37:05.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36277
Vulnerability from cvelistv5
Published
2024-06-17 07:33
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
Improper verification of cryptographic signature issue exists in "FreeFrom - the nostr client" App versions prior to 1.3.5 for Android and iOS. The affected app cannot detect event data with invalid signatures.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:freefrom_kk:freefrom_the_nostr_client_app:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freefrom_the_nostr_client_app",
"vendor": "freefrom_kk",
"versions": [
{
"lessThan": "1.3.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T14:24:09.463816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T16:30:29.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://freefrom.space/"
},
{
"tags": [
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.freefrom"
},
{
"tags": [
"x_transferred"
],
"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN55045256/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "\"FreeFrom - the nostr client\" App for Android",
"vendor": "FreeFrom K.K.",
"versions": [
{
"status": "affected",
"version": "prior to 1.3.5"
}
]
},
{
"product": "\"FreeFrom - the nostr client\" App for iOS",
"vendor": "FreeFrom K.K.",
"versions": [
{
"status": "affected",
"version": "prior to 1.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper verification of cryptographic signature issue exists in \"FreeFrom - the nostr client\" App versions prior to 1.3.5 for Android and iOS. The affected app cannot detect event data with invalid signatures."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T07:33:55.100Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://freefrom.space/"
},
{
"url": "https://play.google.com/store/apps/details?id=com.freefrom"
},
{
"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930"
},
{
"url": "https://jvn.jp/en/jp/JVN55045256/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-36277",
"datePublished": "2024-06-17T07:33:55.100Z",
"dateReserved": "2024-06-03T03:52:23.220Z",
"dateUpdated": "2024-08-02T03:37:05.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36289
Vulnerability from cvelistv5
Published
2024-06-17 07:34
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
Reusing a nonce, key pair in encryption issue exists in "FreeFrom - the nostr client" App versions prior to 1.3.5 for Android and iOS. If this vulnerability is exploited, the content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:freefrom_kk:freefrom_the_nostr_client_app:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freefrom_the_nostr_client_app",
"vendor": "freefrom_kk",
"versions": [
{
"lessThan": "1.3.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-18T16:31:01.878703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323 Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T16:31:05.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://freefrom.space/"
},
{
"tags": [
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.freefrom"
},
{
"tags": [
"x_transferred"
],
"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN55045256/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "\"FreeFrom - the nostr client\" App for Android",
"vendor": "FreeFrom K.K.",
"versions": [
{
"status": "affected",
"version": "prior to 1.3.5"
}
]
},
{
"product": "\"FreeFrom - the nostr client\" App for iOS",
"vendor": "FreeFrom K.K.",
"versions": [
{
"status": "affected",
"version": "prior to 1.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reusing a nonce, key pair in encryption issue exists in \"FreeFrom - the nostr client\" App versions prior to 1.3.5 for Android and iOS. If this vulnerability is exploited, the content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reusing a nonce, key pair in encryption",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T07:34:25.793Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://freefrom.space/"
},
{
"url": "https://play.google.com/store/apps/details?id=com.freefrom"
},
{
"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930"
},
{
"url": "https://jvn.jp/en/jp/JVN55045256/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-36289",
"datePublished": "2024-06-17T07:34:25.793Z",
"dateReserved": "2024-06-03T03:52:22.331Z",
"dateUpdated": "2024-08-02T03:37:05.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2024-000060
Vulnerability from jvndb
Published
2024-06-07 14:51
Modified
2024-06-07 14:51
Severity ?
Summary
Multiple vulnerabilities in "FreeFrom - the nostr client" App
Details
"FreeFrom - the nostr client" App provided by FreeFrom K.K. contains multiple vulnerabilities listed below.
<ul><li>Improper verification of cryptographic signature (CWE-347) - CVE-2024-36277</li>
<li>Reliance on obfuscation or encryption of security-relevant inputs without integrity checking (CWE-649) - CVE-2024-36279</li>
<li>Reusing a nonce, key pair in encryption (CWE-323) - CVE-2024-36289</li></ul>
The people listed below reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hayato Kimura of University of Hyogo
Ryoma Ito of National Institute of Information and Communications Technology (NICT)
Kazuhiko Minematsu of NEC Corporation/Yokohama National University
Takanori Isobe of University of Hyogo
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000060.html",
"dc:date": "2024-06-07T14:51+09:00",
"dcterms:issued": "2024-06-07T14:51+09:00",
"dcterms:modified": "2024-06-07T14:51+09:00",
"description": "\"FreeFrom - the nostr client\" App provided by FreeFrom K.K. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eImproper verification of cryptographic signature (CWE-347) - CVE-2024-36277\u003c/li\u003e\r\n\u003cli\u003eReliance on obfuscation or encryption of security-relevant inputs without integrity checking (CWE-649) - CVE-2024-36279\u003c/li\u003e\r\n\u003cli\u003eReusing a nonce, key pair in encryption (CWE-323) - CVE-2024-36289\u003c/li\u003e\u003c/ul\u003e\r\n\r\nThe people listed below reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nHayato Kimura of University of Hyogo\r\nRyoma Ito of National Institute of Information and Communications Technology (NICT)\r\nKazuhiko Minematsu of NEC Corporation/Yokohama National University\r\nTakanori Isobe of University of Hyogo",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000060.html",
"sec:cpe": [
{
"#text": "cpe:/a:misc:freefrom_android_app_freefrom-the_nostr_client",
"@product": "\"FreeFrom - the nostr client\" App for Android",
"@vendor": "FreeFrom K.K.",
"@version": "2.2"
},
{
"#text": "cpe:/a:misc:freefrom_iOS_app_freefrom-the_nostr_client",
"@product": "\"FreeFrom - the nostr client\" App for iOS",
"@vendor": "FreeFrom K.K.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000060",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN55045256/index.html",
"@id": "JVN#55045256",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-36277",
"@id": "CVE-2024-36277",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-36279",
"@id": "CVE-2024-36279",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-36289",
"@id": "CVE-2024-36289",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in \"FreeFrom - the nostr client\" App"
}