CVE-2021-21385 - OpenCVE

Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mifos	Mifos-mobile

Configuration 1 [-]

cpe:2.3:a:mifos:mifos-mobile:*:*:*:*:*:android:*:*

No data.

References

Link	Providers
https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d
https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx
https://openmf.github.io/mobileapps.github.io/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-03-24T20:45:17

Updated: 2024-08-03T18:09:15.930Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21385

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-24T21:15:15.070

Modified: 2021-03-30T18:30:54.153

Link: CVE-2021-21385

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "mifos-mobile", "vendor": "openMF", "versions": [{"status": "affected", "version": "<= 7ed4f22"}]}], "descriptions": [{"lang": "en", "value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-297", "description": "CWE-297: Improper Validation of Certificate with Host Mismatch", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-24T20:45:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"}, {"tags": ["x_refsource_MISC"], "url": "https://openmf.github.io/mobileapps.github.io/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"}], "source": {"advisory": "GHSA-9657-33wf-rmvx", "discovery": "UNKNOWN"}, "title": "Disabled hostname verification and accepting self-signed certificates", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21385", "STATE": "PUBLIC", "TITLE": "Disabled hostname verification and accepting self-signed certificates"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mifos-mobile", "version": {"version_data": [{"version_value": "<= 7ed4f22"}]}}]}, "vendor_name": "openMF"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295: Improper Certificate Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-297: Improper Validation of Certificate with Host Mismatch"}]}]}, "references": {"reference_data": [{"name": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx", "refsource": "CONFIRM", "url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"}, {"name": "https://openmf.github.io/mobileapps.github.io/", "refsource": "MISC", "url": "https://openmf.github.io/mobileapps.github.io/"}, {"name": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d", "refsource": "MISC", "url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"}]}, "source": {"advisory": "GHSA-9657-33wf-rmvx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.930Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://openmf.github.io/mobileapps.github.io/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21385", "datePublished": "2021-03-24T20:45:17", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.930Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mifos:mifos-mobile:*:*:*:*:*:android:*:*", "matchCriteriaId": "06D0F700-A34C-4383-97E7-0C7FE2707CDD", "versionEndExcluding": "2021-03-14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."}, {"lang": "es", "value": "La aplicaci\u00f3n de Android Mifos-Mobile para MifosX es una aplicaci\u00f3n de Android construida sobre la plataforma de autoservicio MifosX. Mifos-Mobile versiones anteriores al commit e505f62 deshabilita la comprobaci\u00f3n del nombre de host HTTPS de su cliente HTTP. Adem\u00e1s, acept\u00f3 como v\u00e1lido cualquier certificado autofirmado. La comprobaci\u00f3n del nombre de host es una parte importante cuando es usado HTTPS para garantizar que el certificado presentado sea v\u00e1lido para el host. Deshabilitarlo puede permitir ataques de tipo man-in-the-middle. Aceptar cualquier certificado, inclusive los autofirmados, permite ataques de tipo man-in-the-middle. Este problema es corregido en mifos-mobile commit e505f62"}], "id": "CVE-2021-21385", "lastModified": "2021-03-30T18:30:54.153", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-03-24T21:15:15.070", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://openmf.github.io/mobileapps.github.io/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-297"}], "source": "security-advisories@github.com", "type": "Primary"}]}