CVE-2023-44689 - OpenCVE

e-Gov Client Application (Windows version) versions prior to 2.1.1.0 and e-Gov Client Application (macOS version) versions prior to 1.1.1.0 are vulnerable to improper authorization in handler for custom URL scheme. A crafted URL may direct the product to access an arbitrary website. As a result, the user may become a victim of a phishing attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
E-gov	E-gov

Configuration 1 [-]

OR	cpe:2.3:a:e-gov:e-gov::::::macos::*
	cpe:2.3:a:e-gov:e-gov::::::windows::*

No data.

References

Link	Providers
https://jvn.jp/en/jp/JVN15808274/
https://shinsei.e-gov.go.jp/contents/news/2023-03-12t1022040900_1318.html

History

Wed, 18 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2023-10-11T00:06:37.575Z

Updated: 2024-09-18T16:03:05.350Z

Reserved: 2023-10-02T05:03:23.579Z

Link: CVE-2023-44689

Vulnrichment

Updated: 2024-08-02T20:07:33.452Z

NVD

Status : Analyzed

Published: 2023-10-11T01:15:08.780

Modified: 2023-10-18T01:26:08.613

Link: CVE-2023-44689

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-44689", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2023-10-02T05:03:23.579Z", "datePublished": "2023-10-11T00:06:37.575Z", "dateUpdated": "2024-09-18T16:03:05.350Z"}, "containers": {"cna": {"affected": [{"vendor": "Digital Agency", "product": "e-Gov Client Application (Windows version)", "versions": [{"version": "versions prior to 2.1.1.0", "status": "affected"}]}, {"vendor": "Digital Agency", "product": "e-Gov Client Application (macOS version)", "versions": [{"version": "versions prior to 1.1.1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "e-Gov Client Application (Windows version) versions prior to 2.1.1.0 and e-Gov Client Application (macOS version) versions prior to 1.1.1.0 are vulnerable to improper authorization in handler for custom URL scheme. A crafted URL may direct the product to access an arbitrary website. As a result, the user may become a victim of a phishing attack."}], "problemTypes": [{"descriptions": [{"description": "Improper authorization in handler for custom URL scheme", "lang": "en", "type": "text"}]}], "references": [{"url": "https://shinsei.e-gov.go.jp/contents/news/2023-03-12t1022040900_1318.html"}, {"url": "https://jvn.jp/en/jp/JVN15808274/"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2023-10-11T00:06:37.575Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:07:33.452Z"}, "title": "CVE Program Container", "references": [{"url": "https://shinsei.e-gov.go.jp/contents/news/2023-03-12t1022040900_1318.html", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN15808274/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T16:02:54.663068Z", "id": "CVE-2023-44689", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T16:03:05.350Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://shinsei.e-gov.go.jp/contents/news/2023-03-12t1022040900_1318.html", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN15808274/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:07:33.452Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-44689", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-18T16:02:54.663068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T16:03:00.547Z"}}], "cna": {"affected": [{"vendor": "Digital Agency", "product": "e-Gov Client Application (Windows version)", "versions": [{"status": "affected", "version": "versions prior to 2.1.1.0"}]}, {"vendor": "Digital Agency", "product": "e-Gov Client Application (macOS version)", "versions": [{"status": "affected", "version": "versions prior to 1.1.1.0"}]}], "references": [{"url": "https://shinsei.e-gov.go.jp/contents/news/2023-03-12t1022040900_1318.html"}, {"url": "https://jvn.jp/en/jp/JVN15808274/"}], "descriptions": [{"lang": "en", "value": "e-Gov Client Application (Windows version) versions prior to 2.1.1.0 and e-Gov Client Application (macOS version) versions prior to 1.1.1.0 are vulnerable to improper authorization in handler for custom URL scheme. A crafted URL may direct the product to access an arbitrary website. As a result, the user may become a victim of a phishing attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Improper authorization in handler for custom URL scheme"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2023-10-11T00:06:37.575Z"}}}, "cveMetadata": {"cveId": "CVE-2023-44689", "state": "PUBLISHED", "dateUpdated": "2024-09-18T16:03:05.350Z", "dateReserved": "2023-10-02T05:03:23.579Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2023-10-11T00:06:37.575Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:e-gov:e-gov:*:*:*:*:*:macos:*:*", "matchCriteriaId": "4012C390-D23C-4B89-8291-3540FC17B971", "versionEndExcluding": "1.1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:e-gov:e-gov:*:*:*:*:*:windows:*:*", "matchCriteriaId": "A31BFDC2-3D8A-4535-897C-5F6FC78CB5C2", "versionEndExcluding": "2.1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "e-Gov Client Application (Windows version) versions prior to 2.1.1.0 and e-Gov Client Application (macOS version) versions prior to 1.1.1.0 are vulnerable to improper authorization in handler for custom URL scheme. A crafted URL may direct the product to access an arbitrary website. As a result, the user may become a victim of a phishing attack."}, {"lang": "es", "value": "Las versiones de la aplicaci\u00f3n e-Gov Client (versi\u00f3n de Windows) anteriores a 2.1.1.0 y las versiones de la aplicaci\u00f3n e-Gov Client (versi\u00f3n de macOS) anteriores a 1.1.1.0 son vulnerables a una autorizaci\u00f3n inadecuada en el controlador del esquema de URL personalizado. Una URL manipulada puede dirigir el producto a acceder a un sitio web arbitrario. Como resultado, el usuario puede convertirse en v\u00edctima de un ataque de phishing."}], "id": "CVE-2023-44689", "lastModified": "2023-10-18T01:26:08.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-11T01:15:08.780", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN15808274/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Release Notes"], "url": "https://shinsei.e-gov.go.jp/contents/news/2023-03-12t1022040900_1318.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}