CVE-2017-16905

Опубликовано: 05 янв. 2018

Источник: nvd

CVSS3: 8.1

CVSS2: 6.8

EPSS Низкий

Описание

The DuoLingo TinyCards application before 1.0 for Android has one use of unencrypted HTTP, which allows remote attackers to spoof content, and consequently achieve remote code execution, via a man-in-the-middle attack.

Ссылки

https://hackerone.com/reports/281605
Exploit
Third Party Advisory
https://wwws.nightwatchcybersecurity.com/2018/01/04/rce-in-duolingos-tinycards-app-for-android-cve-2017-16905/
Third Party Advisory
https://hackerone.com/reports/281605
Exploit
Third Party Advisory
https://wwws.nightwatchcybersecurity.com/2018/01/04/rce-in-duolingos-tinycards-app-for-android-cve-2017-16905/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:duolingo:tinycards:*:*:*:*:*:*:*:*

Версия до 1.0 (исключая)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

EPSS

Процентиль: 85%

0.02545

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-94

Связанные уязвимости

GHSA-m38j-h3g6-jjjc