github - ghsa-h25f-2g8f-4527

GHSA-H25F-2G8F-4527

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2025-04-20 03:37

Details

The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION do not properly implement the WebView class, which allows an attacker to disclose information stored on the device via a specially crafted application.

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-4839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-12T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION do not properly implement the WebView class, which allows an attacker to disclose information stored on the device via a specially crafted application.",
  "id": "GHSA-h25f-2g8f-4527",
  "modified": "2025-04-20T03:37:38Z",
  "published": "2022-05-13T01:10:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4839"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN61297210/index.html"
    },
    {
      "type": "WEB",
      "url": "http://corp.moneyforward.com/info/20160920-mf-android"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93035"
    },
    {
      "type": "WEB",
      "url": "http://www.sourcenext.com/support/i/160725_1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2016-4839 (GCVE-0-2016-4839)

Vulnerability from cvelistv5 – Published: 2017-05-12 18:00 – Updated: 2024-08-06 00:39

Summary

Severity ?

No CVSS data available.

CWE

WebView implmentation issue

Assigner

jpcert

References

URL

Tags

	http://www.sourcenext.com/support/i/160725_1	x_refsource_MISC
	http://www.securityfocus.com/bid/93035	vdb-entryx_refsource_BID
	http://corp.moneyforward.com/info/20160920-mf-android/	x_refsource_CONFIRM
	https://jvn.jp/en/jp/JVN61297210/index.html	third-party-advisoryx_refsource_JVN

Impacted products

Vendor

Product

Version

Money Foward, Inc.

Money Forward

Affected: prior to v7.18.0

Money Foward, Inc.	Money Forward for The Gunma Bank	Affected: prior to v1.2.0
Money Foward, Inc.	Money Forward for SHIGA BANK	Affected: prior to v1.2.0
Money Foward, Inc.	Money Forward for SHIZUOKA BANK	Affected: prior to v1.4.0
Money Foward, Inc.	Money Forward for SBI Sumishin Net Bank	Affected: prior to v1.6.0
Money Foward, Inc.	Money Forward for Tokai Tokyo Securities	Affected: prior to v1.4.0
Money Foward, Inc.	Money Forward for THE TOHO BANK	Affected: prior to v1.3.0
Money Foward, Inc.	Money Forward for YMFG	Affected: prior to v1.5.0
SOURCENEXT CORPORATION	Money Forward for AppPass	Affected: prior to v7.18.3
SOURCENEXT CORPORATION	Money Forward for au SMARTPASS	Affected: prior to v7.18.0
SOURCENEXT CORPORATION	Money Forward for Chou Houdai	Affected: prior to v7.18.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T00:39:26.310Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.sourcenext.com/support/i/160725_1"
          },
          {
            "name": "93035",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/93035"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://corp.moneyforward.com/info/20160920-mf-android/"
          },
          {
            "name": "JVN#61297210",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN61297210/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Money Forward",
          "vendor": "Money Foward, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v7.18.0"
            }
          ]
        },
        {
          "product": "Money Forward for The Gunma Bank",
          "vendor": "Money Foward, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v1.2.0"
            }
          ]
        },
        {
          "product": "Money Forward for SHIGA BANK",
          "vendor": "Money Foward, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v1.2.0"
            }
          ]
        },
        {
          "product": "Money Forward for SHIZUOKA BANK",
          "vendor": "Money Foward, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v1.4.0"
            }
          ]
        },
        {
          "product": "Money Forward for SBI Sumishin Net Bank",
          "vendor": "Money Foward, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v1.6.0"
            }
          ]
        },
        {
          "product": "Money Forward for Tokai Tokyo Securities",
          "vendor": "Money Foward, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v1.4.0"
            }
          ]
        },
        {
          "product": "Money Forward for THE TOHO BANK",
          "vendor": "Money Foward, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v1.3.0"
            }
          ]
        },
        {
          "product": "Money Forward for YMFG",
          "vendor": "Money Foward, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v1.5.0"
            }
          ]
        },
        {
          "product": "Money Forward for AppPass",
          "vendor": "SOURCENEXT CORPORATION",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v7.18.3"
            }
          ]
        },
        {
          "product": "Money Forward for au SMARTPASS",
          "vendor": "SOURCENEXT CORPORATION",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v7.18.0"
            }
          ]
        },
        {
          "product": "Money Forward for Chou Houdai",
          "vendor": "SOURCENEXT CORPORATION",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v7.18.3"
            }
          ]
        }
      ],
      "datePublic": "2016-09-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION do not properly implement the WebView class, which allows an attacker to disclose information stored on the device via a specially crafted application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "WebView implmentation issue",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-05-15T09:57:01",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.sourcenext.com/support/i/160725_1"
        },
        {
          "name": "93035",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/93035"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://corp.moneyforward.com/info/20160920-mf-android/"
        },
        {
          "name": "JVN#61297210",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "https://jvn.jp/en/jp/JVN61297210/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2016-4839",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Money Forward",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v7.18.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Money Forward for The Gunma Bank",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v1.2.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Money Forward for SHIGA BANK",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v1.2.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Money Forward for SHIZUOKA BANK",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v1.4.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Money Forward for SBI Sumishin Net Bank",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v1.6.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Money Forward for Tokai Tokyo Securities",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v1.4.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Money Forward for THE TOHO BANK",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v1.3.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Money Forward for YMFG",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v1.5.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Money Foward, Inc."
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Money Forward for AppPass",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v7.18.3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Money Forward for au SMARTPASS",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v7.18.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Money Forward for Chou Houdai",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to v7.18.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SOURCENEXT CORPORATION"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION do not properly implement the WebView class, which allows an attacker to disclose information stored on the device via a specially crafted application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "WebView implmentation issue"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.sourcenext.com/support/i/160725_1",
              "refsource": "MISC",
              "url": "http://www.sourcenext.com/support/i/160725_1"
            },
            {
              "name": "93035",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/93035"
            },
            {
              "name": "http://corp.moneyforward.com/info/20160920-mf-android/",
              "refsource": "CONFIRM",
              "url": "http://corp.moneyforward.com/info/20160920-mf-android/"
            },
            {
              "name": "JVN#61297210",
              "refsource": "JVN",
              "url": "https://jvn.jp/en/jp/JVN61297210/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2016-4839",
    "datePublished": "2017-05-12T18:00:00",
    "dateReserved": "2016-05-17T00:00:00",
    "dateUpdated": "2024-08-06T00:39:26.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-H25F-2G8F-4527

CVE-2016-4839 (GCVE-0-2016-4839)

Tags

Sightings

Nomenclature