CVE-2021-33594 - OpenCVE

An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
F-secure	Safe

Configuration 1 [-]

cpe:2.3:a:f-secure:safe:*:*:*:*:*:android:*:*

No data.

References

Link	Providers
https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame
https://www.f-secure.com/en/business/support-and-downloads/security-advisories
https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594

History

No history.

MITRE

Status: PUBLISHED

Assigner: F-SecureUS

Published: 2021-08-11T10:28:33

Updated: 2024-08-03T23:50:43.211Z

Reserved: 2021-05-27T00:00:00

Link: CVE-2021-33594

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-08-11T11:15:09.067

Modified: 2021-08-19T18:45:11.110

Link: CVE-2021-33594

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Android"], "product": "F-Secure Mobile Security", "vendor": "F-Secure", "versions": [{"lessThan": "18.3x*", "status": "affected", "version": "18.4x", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "F-Secure Safe browser for Android vulnerable to Address Bar Spoofing", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-08-11T10:28:33", "orgId": "126858f1-1b65-4b74-81ca-7034f7f7723f", "shortName": "F-SecureUS"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"}, {"tags": ["x_refsource_MISC"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"}, {"tags": ["x_refsource_MISC"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594"}], "solutions": [{"lang": "en", "value": "Upgrade to version 18.4.x or newer from Google Play"}], "source": {"discovery": "EXTERNAL"}, "title": "F-Secure Safe browser for Android vulnerable to Address Bar Spoofing", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-notifications-us@f-secure.com", "ID": "CVE-2021-33594", "STATE": "PUBLIC", "TITLE": "F-Secure Safe browser for Android vulnerable to Address Bar Spoofing"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "F-Secure Mobile Security", "version": {"version_data": [{"platform": "Android", "version_affected": ">=", "version_name": "18.3x", "version_value": "18.4x"}]}}]}, "vendor_name": "F-Secure"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "F-Secure Safe browser for Android vulnerable to Address Bar Spoofing"}]}]}, "references": {"reference_data": [{"name": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame", "refsource": "MISC", "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"}, {"name": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories", "refsource": "MISC", "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"}, {"name": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594", "refsource": "MISC", "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594"}]}, "solution": [{"lang": "en", "value": "Upgrade to version 18.4.x or newer from Google Play"}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:50:43.211Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594"}]}]}, "cveMetadata": {"assignerOrgId": "126858f1-1b65-4b74-81ca-7034f7f7723f", "assignerShortName": "F-SecureUS", "cveId": "CVE-2021-33594", "datePublished": "2021-08-11T10:28:33", "dateReserved": "2021-05-27T00:00:00", "dateUpdated": "2024-08-03T23:50:43.211Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f-secure:safe:*:*:*:*:*:android:*:*", "matchCriteriaId": "17900647-DDD4-45DE-8A96-5F9632434B6B", "versionEndExcluding": "18.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de suplantaci\u00f3n de la barra de direcciones en Safe Browser para Android. Cuando el usuario hace clic en una URL maliciosa especialmente dise\u00f1ada, aparece como una leg\u00edtima en la barra de direcciones, mientras que el contenido proviene de otro dominio y se presenta en una ventana, cubriendo el contenido original. Un atacante remoto puede aprovechar esto para llevar a cabo un ataque de falsificaci\u00f3n de la barra de direcciones"}], "id": "CVE-2021-33594", "lastModified": "2021-08-19T18:45:11.110", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cve-notifications-us@f-secure.com", "type": "Secondary"}]}, "published": "2021-08-11T11:15:09.067", "references": [{"source": "cve-notifications-us@f-secure.com", "tags": ["Vendor Advisory"], "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"}, {"source": "cve-notifications-us@f-secure.com", "tags": ["Vendor Advisory"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"}, {"source": "cve-notifications-us@f-secure.com", "tags": ["Vendor Advisory"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594"}], "sourceIdentifier": "cve-notifications-us@f-secure.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}