CVE-2024-11026

A vulnerability was found in Intelligent Apps Freenow App 12.10.0 on Android. It has been rated as problematic. Affected by this issue is some unknown functionality of the file ch/qos/logback/core/net/ssl/SSL.java of the component Keystore Handler. The manipulation of the argument DEFAULT_KEYSTORE_PASSWORD with the input changeit leads to use of hard-coded password. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:free-now:freenow:12.10.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

History

23 Nov 2024, 01:44

Type Values Removed Values Added
CWE CWE-798
CPE cpe:2.3:a:free-now:freenow:12.10.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
First Time Free-now freenow
Free-now
Google
Google android
References () https://github.com/secuserx/CVE/blob/main/%5BHardcoded%20Keystore%20Password%5D%20found%20in%20FREENOW%20(ex%20Beat%20app)%2012.10.0%20-%20(SSL.java).md - () https://github.com/secuserx/CVE/blob/main/%5BHardcoded%20Keystore%20Password%5D%20found%20in%20FREENOW%20(ex%20Beat%20app)%2012.10.0%20-%20(SSL.java).md - Exploit, Third Party Advisory
References () https://vuldb.com/?ctiid.283544 - () https://vuldb.com/?ctiid.283544 - Permissions Required
References () https://vuldb.com/?id.283544 - () https://vuldb.com/?id.283544 - Third Party Advisory
References () https://vuldb.com/?submit.434538 - () https://vuldb.com/?submit.434538 - Third Party Advisory

12 Nov 2024, 13:56

Type Values Removed Values Added
Summary
  • (es) Se ha encontrado una vulnerabilidad en Intelligent Apps Freenow App 12.10.0 para Android. Se ha calificado como problemática. Este problema afecta a una funcionalidad desconocida del archivo ch/qos/logback/core/net/ssl/SSL.java del componente Keystore Handler. La manipulación del argumento DEFAULT_KEYSTORE_PASSWORD con la entrada changeit conduce al uso de una contraseña codificada. El ataque puede iniciarse de forma remota. La complejidad de un ataque es bastante alta. Se sabe que la explotación es difícil. La explotación se ha divulgado al público y puede utilizarse. Se contactó al proveedor con anticipación sobre esta divulgación, pero no respondió de ninguna manera.

08 Nov 2024, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-08 22:15

Updated : 2024-11-23 01:44


NVD link : CVE-2024-11026

Mitre link : CVE-2024-11026

CVE.ORG link : CVE-2024-11026


JSON object : View

Products Affected

google

  • android

free-now

  • freenow
CWE
CWE-255

Credentials Management Errors

CWE-259

Use of Hard-coded Password

CWE-798

Use of Hard-coded Credentials