All the vulnerabilites related to (Multiple Venders) - (Multiple Products)
jvndb-2023-027250
Vulnerability from jvndb
Published
2024-09-11 18:19
Modified
2024-09-11 18:19
Summary
Security Problem in Web Browser Permission Mechanism
Details
A research team of Waseda University and NTT Social Informatics Laboratories conducted a systematic analysis of the permission mechanisms of 5 different Operating Systems (both mobile and desktop OS) and 22 major browsers running on each OS. The results show that they have multiple problems including lack of consistency in implementations of permission mechanisms and flaws that can result in privacy risks. These problems can cause browser users to make bad decisions and create security threats. The below contents are presented by the research team at <a href="https://www.ndss-symposium.org/ndss-paper/browser-permission-mechanisms-demystified/"target="blank">NDSS 2023</a>.
Please refer to <a href="https://jvn.jp/en/ta/JVNTA96606604/index.html">JVNTA#96606604</a> for more details.
This document was written by Kazuki Nomoto (Waseda University), Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama (NTT Social Informatics Laboratories), and JPCERT/CC to alert browser vendors and users.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-027250.html",
"dc:date": "2024-09-11T18:19+09:00",
"dcterms:issued": "2024-09-11T18:19+09:00",
"dcterms:modified": "2024-09-11T18:19+09:00",
"description": "A research team of Waseda University and NTT Social Informatics Laboratories conducted a systematic analysis of the permission mechanisms of 5 different Operating Systems (both mobile and desktop OS) and 22 major browsers running on each OS. The results show that they have multiple problems including lack of consistency in implementations of permission mechanisms and flaws that can result in privacy risks. These problems can cause browser users to make bad decisions and create security threats. The below contents are presented by the research team at \u003ca href=\"https://www.ndss-symposium.org/ndss-paper/browser-permission-mechanisms-demystified/\"target=\"blank\"\u003eNDSS 2023\u003c/a\u003e.\r\n\r\nPlease refer to \u003ca href=\"https://jvn.jp/en/ta/JVNTA96606604/index.html\"\u003eJVNTA#96606604\u003c/a\u003e for more details.\r\n\r\nThis document was written by Kazuki Nomoto (Waseda University), Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama (NTT Social Informatics Laboratories), and JPCERT/CC to alert browser vendors and users.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-027250.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:identifier": "JVNDB-2023-027250",
"sec:references": [
{
"#text": "https://jvn.jp/en/ta/JVNTA96606604/index.html",
"@id": "JVNTA#96606604",
"@source": "JVN"
},
{
"#text": "https://www.ndss-symposium.org/ndss-paper/browser-permission-mechanisms-demystified/",
"@id": "Browser Permission Mechanisms Demystified - NDSS Symposium 2023",
"@source": "Related document"
}
],
"title": "Security Problem in Web Browser Permission Mechanism"
}
jvndb-2014-000138
Vulnerability from jvndb
Published
2014-12-02 14:21
Modified
2014-12-09 15:33
Summary
OS command injection vulnerability in multiple FUJITSU Android devices
Details
Multiple FUJITSU Android devices contain an OS command injection vulnerability.
Masaaki Chida of GREE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000138.html",
"dc:date": "2014-12-09T15:33+09:00",
"dcterms:issued": "2014-12-02T14:21+09:00",
"dcterms:modified": "2014-12-09T15:33+09:00",
"description": "Multiple FUJITSU Android devices contain an OS command injection vulnerability.\r\n\r\nMasaaki Chida of GREE, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000138.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.2",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2014-000138",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN06302787/index.html",
"@id": "JVN#06302787",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7253",
"@id": "CVE-2014-7253",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7253",
"@id": "CVE-2014-7253",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
}
],
"title": "OS command injection vulnerability in multiple FUJITSU Android devices"
}
jvndb-2014-000137
Vulnerability from jvndb
Published
2014-12-02 13:56
Modified
2014-12-09 15:34
Summary
Multiple improper data validation vulnerabilities in Syslink driver for Texas Instruments OMAP mobile processors
Details
The Syslink driver for OMAP mobile processors contained in Android devices contain mulitple improper data validation vulerabilities.
The OMAP mobile processor provided by Texas Instruments is used in some Android tablets, smartphones and other devices. The Syslink driver for some OMAP mobile processors is used to implement the communication of processes between the host and slave processors.
The Syslink driver contains multiple vulnerabilities where userland data is not properly validated prior to use. Exploitation of these vulnerabilities may lead to arbitrary code execution or kernel memory content disclosure.
Masaaki Chida of GREE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN67792023/index.html | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7252 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7252 | |
| Improper Input Validation(CWE-20) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000137.html",
"dc:date": "2014-12-09T15:34+09:00",
"dcterms:issued": "2014-12-02T13:56+09:00",
"dcterms:modified": "2014-12-09T15:34+09:00",
"description": "The Syslink driver for OMAP mobile processors contained in Android devices contain mulitple improper data validation vulerabilities.\r\n\r\nThe OMAP mobile processor provided by Texas Instruments is used in some Android tablets, smartphones and other devices. The Syslink driver for some OMAP mobile processors is used to implement the communication of processes between the host and slave processors.\r\nThe Syslink driver contains multiple vulnerabilities where userland data is not properly validated prior to use. Exploitation of these vulnerabilities may lead to arbitrary code execution or kernel memory content disclosure.\r\n\r\nMasaaki Chida of GREE, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000137.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.2",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2014-000137",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN67792023/index.html",
"@id": "JVN#67792023",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7252",
"@id": "CVE-2014-7252",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7252",
"@id": "CVE-2014-7252",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "Multiple improper data validation vulnerabilities in Syslink driver for Texas Instruments OMAP mobile processors"
}
jvndb-2013-001665
Vulnerability from jvndb
Published
2013-10-30 16:08
Modified
2015-10-28 10:05
Summary
Multiple products that use International Components for Unicode (ICU) vulnerable to denial-of-service (DoS)
Details
Multiple products that use International Components for Unicode (ICU) contain a denial-of-service (DoS) vulnerability.
International Components for Unicode (ICU) is a library for handling Unicode strings. A C version, ICU4C and a Java version ICU4J are available. Multiple products that use ICU4C contain a denial-of-service vulnerability due to a race condition.
ICU released ICU4C version 50.1.1 that addresses this vulnerability in December, 2012.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-001665.html",
"dc:date": "2015-10-28T10:05+09:00",
"dcterms:issued": "2013-10-30T16:08+09:00",
"dcterms:modified": "2015-10-28T10:05+09:00",
"description": "Multiple products that use International Components for Unicode (ICU) contain a denial-of-service (DoS) vulnerability.\r\n\r\nInternational Components for Unicode (ICU) is a library for handling Unicode strings. A C version, ICU4C and a Java version ICU4J are available. Multiple products that use ICU4C contain a denial-of-service vulnerability due to a race condition.\r\n\r\nICU released ICU4C version 50.1.1 that addresses this vulnerability in December, 2012.",
"link": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-001665.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2013-001665",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN70739377/index.html",
"@id": "JVN#70739377",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0900",
"@id": "CVE-2013-0900",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0900",
"@id": "CVE-2013-0900",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-362",
"@title": "Race Condition(CWE-362)"
}
],
"title": "Multiple products that use International Components for Unicode (ICU) vulnerable to denial-of-service (DoS)"
}
jvndb-2020-000007
Vulnerability from jvndb
Published
2020-01-28 15:59
Modified
2020-01-28 15:59
Severity ?
Summary
Android App "MyPallete" vulnerable to improper server certificate verification
Details
Android App "MyPallete" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers.
"MyPallete" is vulnerable to improper server certificate verification (CWE-295) and to improper host-matching validation (CWE-297).
Dai Nakamura of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) | |
| NTT DATA | MyPallete |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000007.html",
"dc:date": "2020-01-28T15:59+09:00",
"dcterms:issued": "2020-01-28T15:59+09:00",
"dcterms:modified": "2020-01-28T15:59+09:00",
"description": "Android App \"MyPallete\" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers.\r\n\"MyPallete\" is vulnerable to improper server certificate verification (CWE-295) and to improper host-matching validation (CWE-297).\r\n\r\nDai Nakamura of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000007.html",
"sec:cpe": [
{
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
{
"#text": "cpe:/a:nttdata:mypallete",
"@product": "MyPallete",
"@vendor": "NTT DATA",
"@version": "2.2"
}
],
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000007",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN28845872/index.html",
"@id": "JVN#28845872",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5523",
"@id": "CVE-2020-5523",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5523",
"@id": "CVE-2020-5523",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Android App \"MyPallete\" vulnerable to improper server certificate verification"
}
jvndb-2013-000087
Vulnerability from jvndb
Published
2013-09-19 13:29
Modified
2014-08-28 18:10
Summary
Multiple broadband routers may behave as open resolvers
Details
Multiple broadband routers contain an issue where they may behave as open resolvers.
A device that runs as a DNS cache server, which responds to any recursive DNS queries that are received is referred to as an open resolver.
Multiple broadband routers may contain an issue where they may behave as open resolvers.
This issue was confirmed by JPCERT/CC and IPA that it affected multiple developers and was coordinated by JPCERT/CC.
In addition, Yasuhiro Orange Morishita of Japan Registry Services Co., Ltd. (JPRS) reported this vulnerability to JPCERT/CC under the Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN62507275/ | |
| JPCERT-WR | http://www.jpcert.or.jp/at/2013/at130022.html | |
| CERT-TA | https://www.us-cert.gov/ncas/alerts/TA13-088A | |
| CERT-TA | http://www.us-cert.gov/ncas/alerts/TA14-017A | |
| JPRS | http://jprs.jp/important/2013/130418.html | |
| JPNIC | https://www.nic.ad.jp/ja/dns/openresolver/ | |
| Permissions(CWE-264) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000087.html",
"dc:date": "2014-08-28T18:10+09:00",
"dcterms:issued": "2013-09-19T13:29+09:00",
"dcterms:modified": "2014-08-28T18:10+09:00",
"description": "Multiple broadband routers contain an issue where they may behave as open resolvers.\r\n\r\nA device that runs as a DNS cache server, which responds to any recursive DNS queries that are received is referred to as an open resolver.\r\nMultiple broadband routers may contain an issue where they may behave as open resolvers.\r\n\r\nThis issue was confirmed by JPCERT/CC and IPA that it affected multiple developers and was coordinated by JPCERT/CC.\r\nIn addition, Yasuhiro Orange Morishita of Japan Registry Services Co., Ltd. (JPRS) reported this vulnerability to JPCERT/CC under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000087.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2013-000087",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN62507275/",
"@id": "JVN#62507275",
"@source": "JVN"
},
{
"#text": "http://www.jpcert.or.jp/at/2013/at130022.html",
"@id": "DDoS attacks using recursive DNS requests",
"@source": "JPCERT-WR"
},
{
"#text": "https://www.us-cert.gov/ncas/alerts/TA13-088A",
"@id": "Alert (TA13-088A) DNS Amplification Attacks",
"@source": "CERT-TA"
},
{
"#text": "http://www.us-cert.gov/ncas/alerts/TA14-017A",
"@id": "Alert (TA14-017A) UDP-based Amplification Attacks",
"@source": "CERT-TA"
},
{
"#text": "http://jprs.jp/important/2013/130418.html",
"@id": "An unsuitable setup of a DNS server\"Open Resolver\"",
"@source": "JPRS"
},
{
"#text": "https://www.nic.ad.jp/ja/dns/openresolver/",
"@id": "About Open Resolver",
"@source": "JPNIC"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "Multiple broadband routers may behave as open resolvers"
}
jvndb-2015-000172
Vulnerability from jvndb
Published
2015-10-30 15:16
Modified
2016-02-12 17:16
Summary
Multiple routers contain issue in preventing clickjacking attacks
Details
Multiple router products contain an issue in the protection against clickjacking attacks.
Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN48135658/index.html | |
| No Mapping(CWE-Other) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000172.html",
"dc:date": "2016-02-12T17:16+09:00",
"dcterms:issued": "2015-10-30T15:16+09:00",
"dcterms:modified": "2016-02-12T17:16+09:00",
"description": "Multiple router products contain an issue in the protection against clickjacking attacks.\r\n\r\nNoriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000172.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2015-000172",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN48135658/index.html",
"@id": "JVN#48135658",
"@source": "JVN"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple routers contain issue in preventing clickjacking attacks"
}
jvndb-2020-018328
Vulnerability from jvndb
Published
2024-09-12 12:23
Modified
2024-09-12 12:23
Summary
Falsification and eavesdropping of contents across multiple websites via Web Rehosting services
Details
Researchers at NTT Secure Platform Laboratories and Waseda University have identified multiple security issues that lead to content being tampered with and eavesdropped on a service called Web Rehosting. These issues have been published in <a href="https://www.ndss-symposium.org/ndss-paper/melting-pot-of-origins-compromising-the-intermediary-web-services-that-rehost-websites/" target="blank">NDSS 2020</a>.
"Web Rehosting" is the name of a group of web services proposed in this study, which has the function of retrieving content from a user-specified website and hosting it again on its server.
Web rehosting includes a web proxy service that allows users to specify the URLs they want to view from the web interface, a web translation service that translates the entire website and a web archive service that stores snapshots of the website.
If a web rehosting service does not take measures against the attacks listed in this advisory, there is a risk that some of the browser resources of users may be manipulated by an attacker, resulting in a security and privacy violation.
Web rehosting service owners can refer to the "Solution" section for countermeasures.
Please refer to <a href="https://jvn.jp/en/ta/JVNTA96129397/index.html" target="blank">JVNTA#96129397</a> for more details.
This document was written by Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama (NTT Secure Platform Laboratories), and JPCERT/CC to alert service providers and users.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-018328.html",
"dc:date": "2024-09-12T12:23+09:00",
"dcterms:issued": "2024-09-12T12:23+09:00",
"dcterms:modified": "2024-09-12T12:23+09:00",
"description": "Researchers at NTT Secure Platform Laboratories and Waseda University have identified multiple security issues that lead to content being tampered with and eavesdropped on a service called Web Rehosting. These issues have been published in \u003ca href=\"https://www.ndss-symposium.org/ndss-paper/melting-pot-of-origins-compromising-the-intermediary-web-services-that-rehost-websites/\" target=\"blank\"\u003eNDSS 2020\u003c/a\u003e.\r\n\r\n\"Web Rehosting\" is the name of a group of web services proposed in this study, which has the function of retrieving content from a user-specified website and hosting it again on its server.\r\nWeb rehosting includes a web proxy service that allows users to specify the URLs they want to view from the web interface, a web translation service that translates the entire website and a web archive service that stores snapshots of the website.\r\n\r\nIf a web rehosting service does not take measures against the attacks listed in this advisory, there is a risk that some of the browser resources of users may be manipulated by an attacker, resulting in a security and privacy violation.\r\n\r\nWeb rehosting service owners can refer to the \"Solution\" section for countermeasures.\r\n\r\nPlease refer to \u003ca href=\"https://jvn.jp/en/ta/JVNTA96129397/index.html\" target=\"blank\"\u003eJVNTA#96129397\u003c/a\u003e for more details.\r\n\r\nThis document was written by Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama (NTT Secure Platform Laboratories), and JPCERT/CC to alert service providers and users.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-018328.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:identifier": "JVNDB-2020-018328",
"sec:references": [
{
"#text": "https://jvn.jp/en/ta/JVNTA96129397/index.html",
"@id": "JVNTA#96129397",
"@source": "JVN"
},
{
"#text": "https://www.ndss-symposium.org/ndss-paper/melting-pot-of-origins-compromising-the-intermediary-web-services-that-rehost-websites/",
"@id": "Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites",
"@source": "Related document"
}
],
"title": "Falsification and eavesdropping of contents across multiple websites via Web Rehosting services"
}
jvndb-2012-000102
Vulnerability from jvndb
Published
2012-11-14 15:07
Modified
2012-11-30 18:01
Summary
Multiple Android devices vulnerable to denial-of-service (DoS)
Details
Multiple Android devices contains a denial-of-service (DoS) vulnerability.
Multiple Android devices contain an issue when referencing specific system area, which may lead to a denial-of-service (DoS).
Tsukasa Oi of Fourteenforty Research Institue, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN74829345/index.html | |
| No Mapping(CWE-noinfo) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-000102.html",
"dc:date": "2012-11-30T18:01+09:00",
"dcterms:issued": "2012-11-14T15:07+09:00",
"dcterms:modified": "2012-11-30T18:01+09:00",
"description": "Multiple Android devices contains a denial-of-service (DoS) vulnerability.\r\n\r\nMultiple Android devices contain an issue when referencing specific system area, which may lead to a denial-of-service (DoS).\r\n\r\nTsukasa Oi of Fourteenforty Research Institue, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-000102.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:N/A:C",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2012-000102",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN74829345/index.html",
"@id": "JVN#74829345",
"@source": "JVN"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-noinfo",
"@title": "No Mapping(CWE-noinfo)"
}
],
"title": "Multiple Android devices vulnerable to denial-of-service (DoS)"
}
jvndb-2004-000594
Vulnerability from jvndb
Published
2008-05-21 00:00
Modified
2008-05-21 00:00
Summary
DNS cache servers resource consumption by TCP SYN_SENT states
Details
DNS cache servers consume huge resources for communication with DNS authoritative servers in the following situation.
(1) a user sends a query to the DNS cache server
(2) the DNS cache server sends a UDP query to an authoritative server
(3) when the authoritative server finds that the reply content is too large, it sends back the reply packet to the DNS cache server with the TC bit on
(4) the DNS cache server re-sends a query by TCP
(5) when the authoritative server does not reply to the TCP query, or 53/tcp destined packets are dropped, the DNS cache server holds the socket in the SYN_SENT state for a certain period of time
(6) a huge number of transactions in steps (1)-(5) take place in a short period of time
Affected products are DNS servers with the network configuration described as above.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2004/JVNDB-2004-000594.html",
"dc:date": "2008-05-21T00:00+09:00",
"dcterms:issued": "2008-05-21T00:00+09:00",
"dcterms:modified": "2008-05-21T00:00+09:00",
"description": "DNS cache servers consume huge resources for communication with DNS authoritative servers in the following situation.\r\n(1) a user sends a query to the DNS cache server\r\n(2) the DNS cache server sends a UDP query to an authoritative server\r\n(3) when the authoritative server finds that the reply content is too large, it sends back the reply packet to the DNS cache server with the TC bit on\r\n(4) the DNS cache server re-sends a query by TCP\r\n(5) when the authoritative server does not reply to the TCP query, or 53/tcp destined packets are dropped, the DNS cache server holds the socket in the SYN_SENT state for a certain period of time \r\n(6) a huge number of transactions in steps (1)-(5) take place in a short period of time\r\n\r\nAffected products are DNS servers with the network configuration described as above.",
"link": "https://jvndb.jvn.jp/en/contents/2004/JVNDB-2004-000594.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2004-000594",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN61857DA9/index.html",
"@id": "JVN#61857DA9",
"@source": "JVN"
},
{
"#text": "http://www.nanog.org/mtg-0410/toyama.html",
"@id": "NANOG Abstract",
"@source": "NANOG"
},
{
"#text": "http://www.nanog.org/mtg-0410/pdf/toyama.pdf",
"@id": "NANOG PDF presentation",
"@source": "NANOG"
}
],
"title": "DNS cache servers resource consumption by TCP SYN_SENT states"
}
jvndb-2020-018327
Vulnerability from jvndb
Published
2024-09-11 18:19
Modified
2024-09-11 18:19
Summary
Malleability attack against executables encrypted by CBC mode with no integrity check
Details
Researchers at NTT, University of Hyogo, and NEC have identified a security issue that leads to executing arbitrary code in executable files that are encrypted by CBC mode with no integrity check. This issue has been published in <a href="https://sites.google.com/di.uniroma1.it/acns2020/home" target=blank>ACNS 2020</a>
.
There is a risk that an encrypted executable file may be manipulated by an attacker without prior knowledge of plaintext or secret key, resulting in arbitrary code execution if the developer does not take measures against the attack.
Developers can refer to the "Solution" section for countermeasures.
Please refer to <a href="https://jvn.jp/en/ta/JVNTA94494000/" target=blank>JVNTA#94494000</a> for more details.
This document was written by Rintaro Fujita (NTT), Takanori Isobe (University of Hyogo), Kazuhiko Minematsu (NEC), and JPCERT/CC.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/ta/JVNTA94494000/ | |
| Related document | https://link.springer.com/chapter/10.1007/978-3-030-57808-4_10 | |
| Related document | https://eprint.iacr.org/2020/1159 |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-018327.html",
"dc:date": "2024-09-11T18:19+09:00",
"dcterms:issued": "2024-09-11T18:19+09:00",
"dcterms:modified": "2024-09-11T18:19+09:00",
"description": "Researchers at NTT, University of Hyogo, and NEC have identified a security issue that leads to executing arbitrary code in executable files that are encrypted by CBC mode with no integrity check. This issue has been published in \u003ca href=\"https://sites.google.com/di.uniroma1.it/acns2020/home\" target=blank\u003eACNS 2020\u003c/a\u003e\r\n.\r\nThere is a risk that an encrypted executable file may be manipulated by an attacker without prior knowledge of plaintext or secret key, resulting in arbitrary code execution if the developer does not take measures against the attack.\r\n\r\nDevelopers can refer to the \"Solution\" section for countermeasures.\r\n\r\nPlease refer to \u003ca href=\"https://jvn.jp/en/ta/JVNTA94494000/\" target=blank\u003eJVNTA#94494000\u003c/a\u003e for more details.\r\n\r\nThis document was written by Rintaro Fujita (NTT), Takanori Isobe (University of Hyogo), Kazuhiko Minematsu (NEC), and JPCERT/CC.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-018327.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:identifier": "JVNDB-2020-018327",
"sec:references": [
{
"#text": "https://jvn.jp/en/ta/JVNTA94494000/",
"@id": "JVNTA#94494000",
"@source": "JVN"
},
{
"#text": "https://link.springer.com/chapter/10.1007/978-3-030-57808-4_10",
"@id": "ACE in Chains: How Risky Is CBC Encryption of Binary Executable Files? | SpringerLink",
"@source": "Related document"
},
{
"#text": "https://eprint.iacr.org/2020/1159",
"@id": "Cryptology ePrint Archive: Report 2020/1159 - ACE in Chains : How Risky is CBC Encryption of Binary Executable Files ?",
"@source": "Related document"
}
],
"title": "Malleability attack against executables encrypted by CBC mode with no integrity check"
}
jvndb-2013-000039
Vulnerability from jvndb
Published
2013-05-15 14:25
Modified
2013-06-19 09:58
Summary
Wi-Fi Spot Configuration Software vulnerability in the connection process
Details
Wi-Fi Spot Configuration Software provided by SoftBank contains a vulnerability within the process of connecting to Wi-Fi access points, which may lead to user information being sent unintentionally.
Masashi Sakai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN85371480/ | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2310 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2310 | |
| Improper Authentication(CWE-287) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000039.html",
"dc:date": "2013-06-19T09:58+09:00",
"dcterms:issued": "2013-05-15T14:25+09:00",
"dcterms:modified": "2013-06-19T09:58+09:00",
"description": "Wi-Fi Spot Configuration Software provided by SoftBank contains a vulnerability within the process of connecting to Wi-Fi access points, which may lead to user information being sent unintentionally.\r\n\r\nMasashi Sakai reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000039.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:cvss": {
"@score": "3.3",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2013-000039",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN85371480/",
"@id": "JVN#85371480",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2310",
"@id": "CVE-2013-2310",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2310",
"@id": "CVE-2013-2310",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-287",
"@title": "Improper Authentication(CWE-287)"
}
],
"title": "Wi-Fi Spot Configuration Software vulnerability in the connection process"
}
jvndb-2013-004446
Vulnerability from jvndb
Published
2013-10-30 16:32
Modified
2015-10-28 10:05
Summary
Use-after-free vulnerability in multiple products that use International Components for Unicode (ICU)
Details
Multiple products that use International Components for Unicode (ICU) contain a use-after-free vulnerability.
International Components for Unicode (ICU) is a library for handling Unicode strings. A C version, ICU4C and a Java version, ICU4J are available. Multiple products that use ICU4C contain a use-after-free vulnerability.
ICU released ICU4C version 52.1 that addresses this vulnerability on October 9, 2013.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN85336306/index.html | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2924 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2924 | |
| Resource Management Errors(CWE-399) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| (Multiple Venders) | (Multiple Products) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-004446.html",
"dc:date": "2015-10-28T10:05+09:00",
"dcterms:issued": "2013-10-30T16:32+09:00",
"dcterms:modified": "2015-10-28T10:05+09:00",
"description": "Multiple products that use International Components for Unicode (ICU) contain a use-after-free vulnerability.\r\n\r\nInternational Components for Unicode (ICU) is a library for handling Unicode strings. A C version, ICU4C and a Java version, ICU4J are available. Multiple products that use ICU4C contain a use-after-free vulnerability.\r\n\r\nICU released ICU4C version 52.1 that addresses this vulnerability on October 9, 2013.",
"link": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-004446.html",
"sec:cpe": {
"#text": "cpe:/a:misc:multiple_vendors",
"@product": "(Multiple Products)",
"@vendor": "(Multiple Venders)",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2013-004446",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN85336306/index.html",
"@id": "JVN#85336306",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2924",
"@id": "CVE-2013-2924",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2924",
"@id": "CVE-2013-2924",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-399",
"@title": "Resource Management Errors(CWE-399)"
}
],
"title": "Use-after-free vulnerability in multiple products that use International Components for Unicode (ICU)"
}