CVE-2022-38117 - Vulnerability Details - OpenCVE

Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users’ ciphertext and tamper with it.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0015.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Juiker	Juiker

Configuration 1 [-]

cpe:2.3:a:juiker:juiker:4.6.0311.1:*:*:*:*:android:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-40719	Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users’ ciphertext and tamper with it.

Fixes

Solution

Update Juiker app version to 4.6.0915.1

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html

History

Wed, 07 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2022-10-24T13:21:03.691Z

Updated: 2025-05-07T13:34:07.470Z

Reserved: 2022-08-10T00:00:00.000Z

Link: CVE-2022-38117

Vulnrichment

Updated: 2024-08-03T10:45:52.820Z

NVD

Status : Modified

Published: 2022-10-24T14:15:50.863

Modified: 2024-11-21T07:15:49.673

Link: CVE-2022-38117

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-38117", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "datePublished": "2022-10-24T13:21:03.691Z", "dateUpdated": "2025-05-07T13:34:07.470Z", "dateReserved": "2022-08-10T00:00:00.000Z"}, "containers": {"cna": {"title": "Juiker app - Hard-coded Credentials", "datePublic": "2022-10-24T00:00:00.000Z", "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2022-10-24T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users\u2019 ciphertext and tamper with it."}], "affected": [{"vendor": "Juiker", "product": "Juiker app", "versions": [{"version": "4.6.0311.1", "status": "affected"}]}], "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html"}], "credits": [{"lang": "en", "value": "RayHong (CCoE)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-798 Use of Hard-coded Credentials", "cweId": "CWE-798"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "TVN-202208002", "discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Update Juiker app version to 4.6.0915.1"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.820Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T13:33:24.537624Z", "id": "CVE-2022-38117", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:34:07.470Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.820Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-38117", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-07T13:33:24.537624Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:33:35.685Z"}}], "cna": {"title": "Juiker app - Hard-coded Credentials", "source": {"advisory": "TVN-202208002", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "RayHong (CCoE)"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Juiker", "product": "Juiker app", "versions": [{"status": "affected", "version": "4.6.0311.1"}]}], "solutions": [{"lang": "en", "value": "Update Juiker app version to 4.6.0915.1"}], "datePublic": "2022-10-24T00:00:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users\u2019 ciphertext and tamper with it."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2022-10-24T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-38117", "state": "PUBLISHED", "dateUpdated": "2025-05-07T13:34:07.470Z", "dateReserved": "2022-08-10T00:00:00.000Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2022-10-24T13:21:03.691Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:juiker:juiker:4.6.0311.1:*:*:*:*:android:*:*", "matchCriteriaId": "70D4534E-BD1E-4391-8304-6501024FE375", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users\u2019 ciphertext and tamper with it."}, {"lang": "es", "value": "La aplicaci\u00f3n Juiker embebe su clave AES en el c\u00f3digo fuente. Un atacante f\u00edsico, despu\u00e9s de conseguir el privilegio de root de Android, puede usar la clave AES para descifrar el texto cifrado de usuarios y manipularlo"}], "id": "CVE-2022-38117", "lastModified": "2024-11-21T07:15:49.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 5.2, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-24T14:15:50.863", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.twcert.org.tw/tw/cp-132-6630-d4d2f-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "twcert@cert.org.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}