CVE-2018-18976 - OpenCVE

An issue was discovered in the Ascensia Contour NEXT ONE application for iOS and Android before 2019-01-15. An attacker may retrieve encrypted medical information of any user of the Ascensia cloud platform by performing Direct Object References with a series of user ID values. (This information can be decrypted through a different vulnerability.)

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ascensia	Contour Diabetes

Configuration 1 [-]

OR	cpe:2.3:a:ascensia:contour_diabetes::::::iphone_os::*
	cpe:2.3:a:ascensia:contour_diabetes::::::android::*

No data.

References

Link	Providers
https://depthsecurity.com/blog/medical-exploitation-you-are-now-diabetic

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-05-06T19:12:22

Updated: 2024-08-05T11:23:08.568Z

Reserved: 2018-11-05T00:00:00

Link: CVE-2018-18976

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-05-06T20:29:00.367

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-18976

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-02-14T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in the Ascensia Contour NEXT ONE application for iOS and Android before 2019-01-15. An attacker may retrieve encrypted medical information of any user of the Ascensia cloud platform by performing Direct Object References with a series of user ID values. (This information can be decrypted through a different vulnerability.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-06T19:12:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://depthsecurity.com/blog/medical-exploitation-you-are-now-diabetic"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18976", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the Ascensia Contour NEXT ONE application for iOS and Android before 2019-01-15. An attacker may retrieve encrypted medical information of any user of the Ascensia cloud platform by performing Direct Object References with a series of user ID values. (This information can be decrypted through a different vulnerability.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://depthsecurity.com/blog/medical-exploitation-you-are-now-diabetic", "refsource": "MISC", "url": "https://depthsecurity.com/blog/medical-exploitation-you-are-now-diabetic"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:23:08.568Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://depthsecurity.com/blog/medical-exploitation-you-are-now-diabetic"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18976", "datePublished": "2019-05-06T19:12:22", "dateReserved": "2018-11-05T00:00:00", "dateUpdated": "2024-08-05T11:23:08.568Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ascensia:contour_diabetes:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "81E00FDA-5DE8-47F6-A297-FC27A238B511", "versionEndExcluding": "2.4.30", "vulnerable": true}, {"criteria": "cpe:2.3:a:ascensia:contour_diabetes:*:*:*:*:*:android:*:*", "matchCriteriaId": "47844740-F98D-485F-A188-FA9EDF1C88A1", "versionEndExcluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Ascensia Contour NEXT ONE application for iOS and Android before 2019-01-15. An attacker may retrieve encrypted medical information of any user of the Ascensia cloud platform by performing Direct Object References with a series of user ID values. (This information can be decrypted through a different vulnerability.)"}, {"lang": "es", "value": "Fue descubierto un fallo en la aplicaci\u00f3n para iOS y Android Ascensia Contour NEXT ONE antes del 15-01-2019. Un atacante podr\u00eda obtener datos m\u00e9dicos cifrados de cualquier paciente de la plataforma en la nube Ascensia realizando Referencias Directas de Objetos con una serie de valores de ID de usuario. (Esta informaci\u00f3n puede ser descifrada a trav\u00e9s de una vulnerabilidad diferente)"}], "id": "CVE-2018-18976", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-06T20:29:00.367", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://depthsecurity.com/blog/medical-exploitation-you-are-now-diabetic"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}