CVE-2021-20835 - OpenCVE

Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mercari	Mercari

Configuration 1 [-]

cpe:2.3:a:mercari:mercari:*:*:*:*:*:android:*:*

No data.

References

Link	Providers
https://jvn.jp/en/jp/JVN49465877/index.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2021-11-24T08:25:38

Updated: 2024-08-03T17:53:23.012Z

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20835

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-11-24T16:15:12.970

Modified: 2022-05-03T16:04:40.443

Link: CVE-2021-20835

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version)", "vendor": "Mercari, Inc.", "versions": [{"status": "affected", "version": "versions prior to 4.49.1"}]}], "descriptions": [{"lang": "en", "value": "Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained."}], "problemTypes": [{"descriptions": [{"description": "Improper Authorization in Handler for Custom URL Scheme", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-24T08:25:38", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN49465877/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2021-20835", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version)", "version": {"version_data": [{"version_value": "versions prior to 4.49.1"}]}}]}, "vendor_name": "Mercari, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Authorization in Handler for Custom URL Scheme"}]}]}, "references": {"reference_data": [{"name": "https://jvn.jp/en/jp/JVN49465877/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN49465877/index.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:53:23.012Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jvn.jp/en/jp/JVN49465877/index.html"}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2021-20835", "datePublished": "2021-11-24T08:25:38", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-08-03T17:53:23.012Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mercari:mercari:*:*:*:*:*:android:*:*", "matchCriteriaId": "AD3E0EAD-AADA-4EFF-9663-CD638377A02F", "versionEndExcluding": "4.49.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained."}, {"lang": "es", "value": "Una autorizaci\u00f3n inapropiada en el manejador para la vulnerabilidad del esquema de URL personalizado en la aplicaci\u00f3n Android \"Mercari (Merpay) - Marketplace and Mobile Payments App\" (versi\u00f3n de Jap\u00f3n) versiones anteriores a la 4.49.1, permite a un atacante remoto conllevar a un usuario a acceder a un sitio web arbitrario y el sitio web lanza una actividad arbitraria de la aplicaci\u00f3n por medio de la aplicaci\u00f3n vulnerable, lo que puede resultar en una obtenci\u00f3n del token de acceso de la cuenta Mercari"}], "id": "CVE-2021-20835", "lastModified": "2022-05-03T16:04:40.443", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-24T16:15:12.970", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN49465877/index.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}