CVE-2022-34908

CVE-2022-34908

by mrahier96

Abstract Advisory Information

The application possesses an authentication mechanism; however, some features did not require any token or cookie from the request.

This implies that by sending a simple HTTP request to the right endpoint, it could be possible to retrieve all the application’s data. It would also be possible to export some new data in an anonymous way.

Authors: Valentin Giannini & Alexandre Guldner

Version affected

Name: A4N (Aremis 4 Nomad) Android mobile application

Versions: 1.5.0

Common Vulnerability Scoring System

8.2

CVSS:3.1/ AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Patch

 1.5.1 (B221115)

References

Vulnerability Disclosure Timeline

  • 11/05/2022: Vulnerability discovery
  • 12/05/2022: Vulnerability Report to CERT-XLM
  • 17/05/2022: Vulnerability Report to Vendor through Contact Form
  • 17/05/2022: Vulnerability Report to Vendor through investigation
  • 19/05/2022: Vulnerability Report to Vendor through investigation
  • 03/06/2022: Called vendor, redirected us to an email address
  • 03/06/2022: Vulnerability Report to Vendor through investigation
  • 10/06/2022: Vulnerability Report to Vendor through investigation
  • 17/06/2022: Vulnerability Report to Vendor through investigation
  • 24/06/2022: Called vendor again to press on them, gave cert@ email address to recontact us
  • 24/06/2022: Vulnerability Report to the Director Information System through investigation
  • 01/07/2022: Vulnerability Report shared with the vendor
  • 01/07/2022: Request CVE ID to Mitre
  • 02/07/2022: CVE number assigned
  • 11/07/2022: Acknowledge from vendor. Vulnerabilities will be fixed by the end of September
  • 15/07/2022: Call with the vendor. Vulnerabilities will be fixed by the end of September
  • 30/09/2022: Asked the vendor for an update.
  • 21/10/2022: Asked the vendor for an update.
  • 28/10/2022: Asked the vendor for an update. Vendor said that they will test the fixes in mid-November
  • 02/12/2022: Asked the vendor for an update.
  • 09/12/2022: Asked the vendor for an update.
  • 12/12/2022: Vendor confirmed that they did a second pen test and most flaws are solved. A final report should arrive by the end of the year.
  • 06/01/2023: Asked the vendor for an update.
  • 09/01/2023: Vendor sent latest vulnerability fix report. According to their report the vulnerabilities would be fixed. Vendor says they are waiting for a second pentest to publish the patch.
  • 13/01/2023: Asked the vendor for an update
  • 25/01/2023: Addressed and fixed in version: 1.5.1 (B221115).
  • 24/02/2023: Public disclosure by Excellium Services in accordance with Aremis Group
Top