CVE-2018-0691
Severity CVSS v4.0:
Pending analysis
Type:
CWE-295
Improper Certificate Validation
Publication date:
15/11/2018
Last modified:
04/02/2019
Description
Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to version 1.0.6, and KDDI +Message App for iOS prior to version 1.1.23) do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:kddi:\+_message:*:*:*:*:*:*:*:* | 1.0.6 (excluding) | |
| cpe:2.3:a:ntttocomo:\+_message:*:*:*:*:*:*:*:* | 42.40.2800 (excluding) | |
| cpe:2.3:a:softbank:\+_message:*:*:*:*:*:*:*:* | 10.1.7 (excluding) | |
| cpe:2.3:o:google:android:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:kddi:\+_message:*:*:*:*:*:*:*:* | 1.1.23 (excluding) | |
| cpe:2.3:a:ntt_tocomo:\+_message:*:*:*:*:*:*:*:* | 1.1.23 (excluding) | |
| cpe:2.3:a:softbank:\+_message:*:*:*:*:*:*:*:* | 1.1.23 (excluding) | |
| cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page