cnvd - cnvd-2018-20108

CNVD-2018-20108

Vulnerability from cnvd - Published: 2018-09-28

Title

PhonePe信息泄露漏洞

Description

PhonePe wallet（又名com.PhonePe.app）application for Android是印度Phonepe Private公司的一款基于Android平台的无现金支付应用程序。基于Android平台的PhonePe钱包应用程序3.0.6版本至3.3.26版本中存在安全漏洞。攻击者可利用该漏洞发现信用卡/借记卡卡号，截止日期和CVV码。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.phonepe.com/en/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-17402

Impacted products

Name
Phonepe Private PhonePe wallet（又名com.PhonePe.app）application for Android >=3.0.6，<=3.3.26

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-17402"
    }
  },
  "description": "PhonePe wallet\uff08\u53c8\u540dcom.PhonePe.app\uff09application for Android\u662f\u5370\u5ea6Phonepe Private\u516c\u53f8\u7684\u4e00\u6b3e\u57fa\u4e8eAndroid\u5e73\u53f0\u7684\u65e0\u73b0\u91d1\u652f\u4ed8\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\n\u57fa\u4e8eAndroid\u5e73\u53f0\u7684PhonePe\u94b1\u5305\u5e94\u7528\u7a0b\u5e8f3.0.6\u7248\u672c\u81f33.3.26\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53d1\u73b0\u4fe1\u7528\u5361/\u501f\u8bb0\u5361\u5361\u53f7\uff0c\u622a\u6b62\u65e5\u671f\u548cCVV\u7801\u3002",
  "discovererName": "unKnow",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.phonepe.com/en/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-20108",
  "openTime": "2018-09-28",
  "products": {
    "product": "Phonepe Private PhonePe wallet\uff08\u53c8\u540dcom.PhonePe.app\uff09application for Android \u003e=3.0.6\uff0c\u003c=3.3.26"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-17402",
  "serverity": "\u4e2d",
  "submitTime": "2018-09-25",
  "title": "PhonePe\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2018-17402 (GCVE-0-2018-17402)

Vulnerability from cvelistv5 – Published: 2018-09-23 22:00 – Updated: 2024-08-05 10:47 Disputed

Summary

The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://github.com/magicj3lly/appexploits/blob/ma…

x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:47:04.451Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/magicj3lly/appexploits/blob/master/PhonePe%20-%20Credit%20and%20Debit%20Card%20Leak.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-09-23T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number.  NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-09-25T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/magicj3lly/appexploits/blob/master/PhonePe%20-%20Credit%20and%20Debit%20Card%20Leak.pdf"
        }
      ],
      "tags": [
        "disputed"
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-17402",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number.  NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/magicj3lly/appexploits/blob/master/PhonePe%20-%20Credit%20and%20Debit%20Card%20Leak.pdf",
              "refsource": "MISC",
              "url": "https://github.com/magicj3lly/appexploits/blob/master/PhonePe%20-%20Credit%20and%20Debit%20Card%20Leak.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-17402",
    "datePublished": "2018-09-23T22:00:00",
    "dateReserved": "2018-09-23T00:00:00",
    "dateUpdated": "2024-08-05T10:47:04.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-20108

CVE-2018-17402 (GCVE-0-2018-17402)

Tags

Sightings

Nomenclature