CVE-2023-28387 - Vulnerability Details - OpenCVE

"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Uzabase	Newspicks

Configuration 1 [-]

OR	cpe:2.3:a:uzabase:newspicks::::::iphone_os::*
	cpe:2.3:a:uzabase:newspicks::::::android::*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://apps.apple.com/us/app/%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%BA%E3%83%94%E3%83%83%E3%82%AF%E3%82%B9-%E3%83%93%E3%82%B8%E3%83%8D%E3%82%B9%E3%81%AB%E5%BD%B9%E7%AB%8B%E3%81%A4%E7%B5%8C%E6%B8%88%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%B9%E3%82%A2%E3%83%97%E3%83%AA/id640956497
https://jvn.jp/en/jp/JVN32739265/
https://play.google.com/store/apps/details?id=com.newspicks

History

Wed, 04 Dec 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2023-06-30T06:22:37.864Z

Updated: 2024-12-04T15:58:06.395Z

Reserved: 2023-03-15T08:11:31.618Z

Link: CVE-2023-28387

Vulnrichment

Updated: 2024-08-02T12:38:25.109Z

NVD

Status : Modified

Published: 2023-06-30T07:15:08.720

Modified: 2024-11-21T07:54:58.317

Link: CVE-2023-28387

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28387", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2023-03-15T08:11:31.618Z", "datePublished": "2023-06-30T06:22:37.864Z", "dateUpdated": "2024-12-04T15:58:06.395Z"}, "containers": {"cna": {"affected": [{"vendor": "NewsPicks, Inc.", "product": "\"NewsPicks\" App for Android", "versions": [{"version": "versions 10.4.5 and earlier", "status": "affected"}]}, {"vendor": "NewsPicks, Inc.", "product": "\"NewsPicks\" App for iOS", "versions": [{"version": "versions 10.4.2 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "\"NewsPicks\" App for Android versions 10.4.5 and earlier and \"NewsPicks\" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service."}], "problemTypes": [{"descriptions": [{"description": "Use of Hard-coded Credentials", "lang": "en", "type": "text"}]}], "references": [{"url": "https://play.google.com/store/apps/details?id=com.newspicks"}, {"url": "https://apps.apple.com/us/app/%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%BA%E3%83%94%E3%83%83%E3%82%AF%E3%82%B9-%E3%83%93%E3%82%B8%E3%83%8D%E3%82%B9%E3%81%AB%E5%BD%B9%E7%AB%8B%E3%81%A4%E7%B5%8C%E6%B8%88%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%B9%E3%82%A2%E3%83%97%E3%83%AA/id640956497"}, {"url": "https://jvn.jp/en/jp/JVN32739265/"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2023-06-30T06:22:37.864Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:38:25.109Z"}, "title": "CVE Program Container", "references": [{"url": "https://play.google.com/store/apps/details?id=com.newspicks", "tags": ["x_transferred"]}, {"url": "https://apps.apple.com/us/app/%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%BA%E3%83%94%E3%83%83%E3%82%AF%E3%82%B9-%E3%83%93%E3%82%B8%E3%83%8D%E3%82%B9%E3%81%AB%E5%BD%B9%E7%AB%8B%E3%81%A4%E7%B5%8C%E6%B8%88%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%B9%E3%82%A2%E3%83%97%E3%83%AA/id640956497", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN32739265/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-04T15:57:45.533423Z", "id": "CVE-2023-28387", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-04T15:58:06.395Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28387", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2023-03-15T08:11:31.618Z", "datePublished": "2023-06-30T06:22:37.864Z", "dateUpdated": "2024-12-04T15:58:06.395Z"}, "containers": {"cna": {"affected": [{"vendor": "NewsPicks, Inc.", "product": "\"NewsPicks\" App for Android", "versions": [{"version": "versions 10.4.5 and earlier", "status": "affected"}]}, {"vendor": "NewsPicks, Inc.", "product": "\"NewsPicks\" App for iOS", "versions": [{"version": "versions 10.4.2 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "\"NewsPicks\" App for Android versions 10.4.5 and earlier and \"NewsPicks\" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service."}], "problemTypes": [{"descriptions": [{"description": "Use of Hard-coded Credentials", "lang": "en", "type": "text"}]}], "references": [{"url": "https://play.google.com/store/apps/details?id=com.newspicks"}, {"url": "https://apps.apple.com/us/app/%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%BA%E3%83%94%E3%83%83%E3%82%AF%E3%82%B9-%E3%83%93%E3%82%B8%E3%83%8D%E3%82%B9%E3%81%AB%E5%BD%B9%E7%AB%8B%E3%81%A4%E7%B5%8C%E6%B8%88%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%B9%E3%82%A2%E3%83%97%E3%83%AA/id640956497"}, {"url": "https://jvn.jp/en/jp/JVN32739265/"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2023-06-30T06:22:37.864Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:38:25.109Z"}, "title": "CVE Program Container", "references": [{"url": "https://play.google.com/store/apps/details?id=com.newspicks", "tags": ["x_transferred"]}, {"url": "https://apps.apple.com/us/app/%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%BA%E3%83%94%E3%83%83%E3%82%AF%E3%82%B9-%E3%83%93%E3%82%B8%E3%83%8D%E3%82%B9%E3%81%AB%E5%BD%B9%E7%AB%8B%E3%81%A4%E7%B5%8C%E6%B8%88%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%B9%E3%82%A2%E3%83%97%E3%83%AA/id640956497", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN32739265/", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28387", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-04T15:57:45.533423Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-04T15:57:57.306Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uzabase:newspicks:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "8C92C0A8-F610-4037-904A-72A0EF590B6F", "versionEndIncluding": "10.4.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:uzabase:newspicks:*:*:*:*:*:android:*:*", "matchCriteriaId": "3570C41E-46D1-47B4-AC43-A94BD24D4596", "versionEndIncluding": "10.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\"NewsPicks\" App for Android versions 10.4.5 and earlier and \"NewsPicks\" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service."}], "id": "CVE-2023-28387", "lastModified": "2024-11-21T07:54:58.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-30T07:15:08.720", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Product"], "url": "https://apps.apple.com/us/app/%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%BA%E3%83%94%E3%83%83%E3%82%AF%E3%82%B9-%E3%83%93%E3%82%B8%E3%83%8D%E3%82%B9%E3%81%AB%E5%BD%B9%E7%AB%8B%E3%81%A4%E7%B5%8C%E6%B8%88%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%B9%E3%82%A2%E3%83%97%E3%83%AA/id640956497"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN32739265/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product"], "url": "https://play.google.com/store/apps/details?id=com.newspicks"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://apps.apple.com/us/app/%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%BA%E3%83%94%E3%83%83%E3%82%AF%E3%82%B9-%E3%83%93%E3%82%B8%E3%83%8D%E3%82%B9%E3%81%AB%E5%BD%B9%E7%AB%8B%E3%81%A4%E7%B5%8C%E6%B8%88%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%B9%E3%82%A2%E3%83%97%E3%83%AA/id640956497"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN32739265/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://play.google.com/store/apps/details?id=com.newspicks"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}