CVE-2021-21385

Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62.

CVSS v3 7.4 HIGH
CVSS v2.0 5.8 MEDIUM

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d	Patch Third Party Advisory
https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx	Patch Third Party Advisory
https://openmf.github.io/mobileapps.github.io/	Product Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mifos:mifos-mobile:*:*:*:*:*:android:*:*

History

No history.

Information

Published : 2021-03-24 21:15

Updated : 2024-02-04 21:23

NVD link : CVE-2021-21385

Mitre link : CVE-2021-21385

CVE.ORG link : CVE-2021-21385

JSON object : View

Products Affected

mifos

mifos-mobile

CWE

CWE-295

Improper Certificate Validation

CWE-297

Improper Validation of Certificate with Host Mismatch

{"id": "CVE-2021-21385", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-03-24T21:15:15.070", "references": [{"url": "https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfeaa90d", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://openmf.github.io/mobileapps.github.io/", "tags": ["Product", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-297"}]}], "descriptions": [{"lang": "en", "value": "Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62."}, {"lang": "es", "value": "La aplicaci\u00f3n de Android Mifos-Mobile para MifosX es una aplicaci\u00f3n de Android construida sobre la plataforma de autoservicio MifosX. Mifos-Mobile versiones anteriores al commit e505f62 deshabilita la comprobaci\u00f3n del nombre de host HTTPS de su cliente HTTP. Adem\u00e1s, acept\u00f3 como v\u00e1lido cualquier certificado autofirmado. La comprobaci\u00f3n del nombre de host es una parte importante cuando es usado HTTPS para garantizar que el certificado presentado sea v\u00e1lido para el host. Deshabilitarlo puede permitir ataques de tipo man-in-the-middle. Aceptar cualquier certificado, inclusive los autofirmados, permite ataques de tipo man-in-the-middle. Este problema es corregido en mifos-mobile commit e505f62"}], "lastModified": "2021-03-30T18:30:54.153", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mifos:mifos-mobile:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "06D0F700-A34C-4383-97E7-0C7FE2707CDD", "versionEndExcluding": "2021-03-14"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}