Search
Find a vulnerability
Search criteria
14 vulnerabilities by LINE
VAR-201602-0156
Vulnerability from variot - Updated: 2025-04-13 23:37LINE 4.3.0.724 and earlier on Windows and 4.3.1 and earlier on OS X allows remote authenticated users to cause a denial of service (application crash) via a crafted post that is mishandled when displaying a Timeline. LINE for Windows and LINE for Mac OS contain a denial-of-service (DoS) vulnerability due to an issue in displaying the Timeline. Jun Kokatsu of KDDI Singapore Dubai Branch reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.By displaying a specially crafted post in Timeline, the product may be abnormally terminated. NHN PlayArt LINE is a set of instant chat software developed by Japan NHN PlayArt Company. The software supports free calls, sending text messages and more
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201602-0156",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "line",
"scope": "lte",
"trust": 1.0,
"vendor": "linecorp",
"version": "4.3.0.724"
},
{
"model": "line",
"scope": "lte",
"trust": 1.0,
"vendor": "linecorp",
"version": "4.3.1"
},
{
"model": "line",
"scope": "lte",
"trust": 0.8,
"vendor": "line",
"version": "for mac os 4.3.1"
},
{
"model": "line",
"scope": "lte",
"trust": 0.8,
"vendor": "line",
"version": "for windows 4.3.0.724"
},
{
"model": "mac os x",
"scope": null,
"trust": 0.6,
"vendor": "apple",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-000029"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-389"
},
{
"db": "NVD",
"id": "CVE-2016-1156"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:linecorp:line",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-000029"
}
]
},
"cve": "CVE-2016-1156",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "CVE-2016-1156",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.0,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "IPA",
"availabilityImpact": "Partial",
"baseScore": 4.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2016-000029",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "VHN-89975",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:S/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.1,
"id": "CVE-2016-1156",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "IPA",
"availabilityImpact": "Low",
"baseScore": 3.5,
"baseSeverity": "Low",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2016-000029",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2016-1156",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "IPA",
"id": "JVNDB-2016-000029",
"trust": 0.8,
"value": "Low"
},
{
"author": "CNNVD",
"id": "CNNVD-201602-389",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-89975",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-89975"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000029"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-389"
},
{
"db": "NVD",
"id": "CVE-2016-1156"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "LINE 4.3.0.724 and earlier on Windows and 4.3.1 and earlier on OS X allows remote authenticated users to cause a denial of service (application crash) via a crafted post that is mishandled when displaying a Timeline. LINE for Windows and LINE for Mac OS contain a denial-of-service (DoS) vulnerability due to an issue in displaying the Timeline. Jun Kokatsu of KDDI Singapore Dubai Branch reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.By displaying a specially crafted post in Timeline, the product may be abnormally terminated. NHN PlayArt LINE is a set of instant chat software developed by Japan NHN PlayArt Company. The software supports free calls, sending text messages and more",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-1156"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000029"
},
{
"db": "VULHUB",
"id": "VHN-89975"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-1156",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000029",
"trust": 2.5
},
{
"db": "JVN",
"id": "JVN46044093",
"trust": 2.5
},
{
"db": "CNNVD",
"id": "CNNVD-201602-389",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-89975",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-89975"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000029"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-389"
},
{
"db": "NVD",
"id": "CVE-2016-1156"
}
]
},
"id": "VAR-201602-0156",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-89975"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-13T23:37:29.789000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "[Security Notice] Fixed Vulnerability in LINE for PC (Windows/Mac OS)",
"trust": 0.8,
"url": "http://linecorp.com/ja/security/article/53"
},
{
"title": "NHN PlayArt LINE Remediation measures for denial of service vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60286"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-000029"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-389"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-89975"
},
{
"db": "NVD",
"id": "CVE-2016-1156"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://jvn.jp/en/jp/jvn46044093/index.html"
},
{
"trust": 1.7,
"url": "http://linecorp.com/ja/security/article/53"
},
{
"trust": 1.7,
"url": "http://jvndb.jvn.jp/jvndb/jvndb-2016-000029"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1156"
},
{
"trust": 0.8,
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1156"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-89975"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000029"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-389"
},
{
"db": "NVD",
"id": "CVE-2016-1156"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-89975"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000029"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-389"
},
{
"db": "NVD",
"id": "CVE-2016-1156"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-02-19T00:00:00",
"db": "VULHUB",
"id": "VHN-89975"
},
{
"date": "2016-02-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-000029"
},
{
"date": "2016-02-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201602-389"
},
{
"date": "2016-02-19T19:59:02.127000",
"db": "NVD",
"id": "CVE-2016-1156"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-05-11T00:00:00",
"db": "VULHUB",
"id": "VHN-89975"
},
{
"date": "2016-03-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-000029"
},
{
"date": "2020-05-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201602-389"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2016-1156"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201602-389"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS)",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-000029"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201602-389"
}
],
"trust": 0.6
}
}
VAR-201408-0035
Vulnerability from variot - Updated: 2025-04-12 23:19LINE 3.2.1.83 and earlier on Windows and 3.2.1 and earlier on OS X does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. LINE is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. NHN PlayArt LINE is a set of instant chat software developed by Japan NHN PlayArt Company. The software supports free calls, sending text messages and more. There are security vulnerabilities in NHN PlayArt LINE 3.2.1.83 and earlier versions based on Windows platform and NHN PlayArt LINE 3.2.1 and earlier versions based on OS X platform
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201408-0035",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "line",
"scope": "lte",
"trust": 1.0,
"vendor": "linecorp",
"version": "3.2.1"
},
{
"model": "line",
"scope": "lte",
"trust": 1.0,
"vendor": "linecorp",
"version": "3.2.1.83"
},
{
"model": "line",
"scope": "lte",
"trust": 0.8,
"vendor": "line",
"version": "3.2.1 (mac os x)"
},
{
"model": "line",
"scope": "lte",
"trust": 0.8,
"vendor": "line",
"version": "3.2.1.83 (windows)"
},
{
"model": "line",
"scope": "eq",
"trust": 0.6,
"vendor": "linecorp",
"version": "3.2.1.83"
},
{
"model": "line",
"scope": "eq",
"trust": 0.6,
"vendor": "linecorp",
"version": "3.2.1"
},
{
"model": "line",
"scope": "eq",
"trust": 0.3,
"vendor": "line",
"version": "3.2.1.83"
},
{
"model": "line",
"scope": "eq",
"trust": 0.3,
"vendor": "line",
"version": "3.2.1"
}
],
"sources": [
{
"db": "BID",
"id": "69336"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"db": "CNNVD",
"id": "CNNVD-201408-261"
},
{
"db": "NVD",
"id": "CVE-2013-7144"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:linecorp:line",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "nu Sub Kittikul",
"sources": [
{
"db": "BID",
"id": "69336"
}
],
"trust": 0.3
},
"cve": "CVE-2013-7144",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2013-7144",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-67146",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-7144",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2013-7144",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201408-261",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-67146",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67146"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"db": "CNNVD",
"id": "CNNVD-201408-261"
},
{
"db": "NVD",
"id": "CVE-2013-7144"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "LINE 3.2.1.83 and earlier on Windows and 3.2.1 and earlier on OS X does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. LINE is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates. \nSuccessfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. NHN PlayArt LINE is a set of instant chat software developed by Japan NHN PlayArt Company. The software supports free calls, sending text messages and more. There are security vulnerabilities in NHN PlayArt LINE 3.2.1.83 and earlier versions based on Windows platform and NHN PlayArt LINE 3.2.1 and earlier versions based on OS X platform",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-7144"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"db": "BID",
"id": "69336"
},
{
"db": "VULHUB",
"id": "VHN-67146"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-7144",
"trust": 2.8
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006631",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201408-261",
"trust": 0.7
},
{
"db": "BID",
"id": "69336",
"trust": 0.4
},
{
"db": "VULHUB",
"id": "VHN-67146",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67146"
},
{
"db": "BID",
"id": "69336"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"db": "CNNVD",
"id": "CNNVD-201408-261"
},
{
"db": "NVD",
"id": "CVE-2013-7144"
}
]
},
"id": "VAR-201408-0035",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-67146"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-12T23:19:52.888000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://linecorp.com/"
},
{
"title": "Line_2014_325.1395901470",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51682"
},
{
"title": "LineInst3.6.0.32.1402034880",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51681"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"db": "CNNVD",
"id": "CNNVD-201408-261"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-310",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67146"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"db": "NVD",
"id": "CVE-2013-7144"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "https://www.thaicert.or.th/papers/general/2013/pa2013ge010.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7144"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-7144"
},
{
"trust": 0.3,
"url": "http://line.me/en/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67146"
},
{
"db": "BID",
"id": "69336"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"db": "CNNVD",
"id": "CNNVD-201408-261"
},
{
"db": "NVD",
"id": "CVE-2013-7144"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-67146"
},
{
"db": "BID",
"id": "69336"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"db": "CNNVD",
"id": "CNNVD-201408-261"
},
{
"db": "NVD",
"id": "CVE-2013-7144"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-08-16T00:00:00",
"db": "VULHUB",
"id": "VHN-67146"
},
{
"date": "2013-12-20T00:00:00",
"db": "BID",
"id": "69336"
},
{
"date": "2014-08-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"date": "2014-08-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201408-261"
},
{
"date": "2014-08-16T04:39:55.613000",
"db": "NVD",
"id": "CVE-2013-7144"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-08-18T00:00:00",
"db": "VULHUB",
"id": "VHN-67146"
},
{
"date": "2013-12-20T00:00:00",
"db": "BID",
"id": "69336"
},
{
"date": "2014-08-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006631"
},
{
"date": "2014-08-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201408-261"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2013-7144"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201408-261"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Windows and Mac OS X Run on LINE Vulnerable to server impersonation",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006631"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "encryption problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201408-261"
}
],
"trust": 0.6
}
}
CVE-2015-2968 (GCVE-0-2015-2968)
Vulnerability from nvd – Published: 2023-10-31 09:29 – Updated: 2024-09-12 19:59
VLAI
Summary
LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Script injection
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LINE Corporation | LINE@ for Android |
Affected:
version 1.0.0
|
|
| LINE Corporation | LINE@ for iOS |
Affected:
version 1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:32:20.717Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://official-blog.line.me/ja/archives/36495925.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN22546110/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2015-2968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T14:29:06.309822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T19:59:35.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LINE@ for Android",
"vendor": "LINE Corporation",
"versions": [
{
"status": "affected",
"version": "version 1.0.0"
}
]
},
{
"product": "LINE@ for iOS",
"vendor": "LINE Corporation",
"versions": [
{
"status": "affected",
"version": "version 1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Script injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-31T09:29:06.710Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://official-blog.line.me/ja/archives/36495925.html"
},
{
"url": "https://jvn.jp/en/jp/JVN22546110/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2015-2968",
"datePublished": "2023-10-31T09:29:06.710Z",
"dateReserved": "2015-04-07T00:00:00.000Z",
"dateUpdated": "2024-09-12T19:59:35.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-0897 (GCVE-0-2015-0897)
Vulnerability from nvd – Published: 2023-10-31 09:28 – Updated: 2024-09-12 20:00
VLAI
Summary
LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Script injection
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LINE Corporation | LINE for Android |
Affected:
version 5.0.2 and earlier
|
|
| LINE Corporation | LINE for iOS |
Affected:
version 5.0.0 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:26:11.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://official-blog.line.me/ja/archives/24809761.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN41281927/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2015-0897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T15:23:24.014755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:00:26.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LINE for Android",
"vendor": "LINE Corporation",
"versions": [
{
"status": "affected",
"version": "version 5.0.2 and earlier"
}
]
},
{
"product": "LINE for iOS",
"vendor": "LINE Corporation",
"versions": [
{
"status": "affected",
"version": "version 5.0.0 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Script injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-31T09:28:50.586Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://official-blog.line.me/ja/archives/24809761.html"
},
{
"url": "https://jvn.jp/en/jp/JVN41281927/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2015-0897",
"datePublished": "2023-10-31T09:28:50.586Z",
"dateReserved": "2015-01-08T00:00:00.000Z",
"dateUpdated": "2024-09-12T20:00:26.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39731 (GCVE-0-2023-39731)
Vulnerability from nvd – Published: 2023-10-19 00:00 – Updated: 2024-09-13 14:45
VLAI
Summary
The leakage of the client secret in Kaibutsunosato v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-284 - Improper Access Control
Assigner
References
2 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:09.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39731.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://liff.line.me/1657662489-pwEQNzJ4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T14:44:07.505547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T14:45:41.724Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The leakage of the client secret in Kaibutsunosato v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T20:53:40.934Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39731.md"
},
{
"url": "https://liff.line.me/1657662489-pwEQNzJ4"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-39731",
"datePublished": "2023-10-19T00:00:00.000Z",
"dateReserved": "2023-08-07T00:00:00.000Z",
"dateUpdated": "2024-09-13T14:45:41.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38493 (GCVE-0-2023-38493)
Vulnerability from nvd – Published: 2023-07-25 20:51 – Updated: 2024-10-03 18:47
VLAI
Title
Paths contain matrix variables bypass decorators
Summary
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/line/armeria/security/advisori… | x_refsource_CONFIRM |
| https://github.com/line/armeria/commit/039db50bbf… | x_refsource_MISC |
| https://docs.spring.io/spring-framework/reference… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:55.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j"
},
{
"name": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07"
},
{
"name": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:linecorp:armeria:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "armeria",
"vendor": "linecorp",
"versions": [
{
"lessThan": "1.24.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T18:46:47.972990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T18:47:47.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "armeria",
"vendor": "line",
"versions": [
{
"status": "affected",
"version": "\u003c 1.24.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T20:51:11.170Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j"
},
{
"name": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07"
},
{
"name": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html"
}
],
"source": {
"advisory": "GHSA-wvp2-9ppw-337j",
"discovery": "UNKNOWN"
},
"title": "Paths contain matrix variables bypass decorators"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38493",
"datePublished": "2023-07-25T20:51:11.170Z",
"dateReserved": "2023-07-18T16:28:12.076Z",
"dateUpdated": "2024-10-03T18:47:47.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43795 (GCVE-0-2021-43795)
Vulnerability from nvd – Published: 2021-12-02 18:00 – Updated: 2024-08-04 04:03
VLAI
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in com.linecorp.armeria:armeria
Summary
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.
Severity
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/line/armeria/security/advisori… | x_refsource_CONFIRM |
| https://github.com/line/armeria/pull/3855 | x_refsource_MISC |
| https://github.com/line/armeria/commit/e2697a575e… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/line/armeria/pull/3855"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "armeria",
"vendor": "line",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server\u0027s local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria\u0027s path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-02T18:00:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/line/armeria/pull/3855"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284"
}
],
"source": {
"advisory": "GHSA-8fp4-rp6c-5gcv",
"discovery": "UNKNOWN"
},
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in com.linecorp.armeria:armeria",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43795",
"STATE": "PUBLIC",
"TITLE": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in com.linecorp.armeria:armeria"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "armeria",
"version": {
"version_data": [
{
"version_value": "\u003c 1.13.4"
}
]
}
}
]
},
"vendor_name": "line"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server\u0027s local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria\u0027s path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv",
"refsource": "CONFIRM",
"url": "https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv"
},
{
"name": "https://github.com/line/armeria/pull/3855",
"refsource": "MISC",
"url": "https://github.com/line/armeria/pull/3855"
},
{
"name": "https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284",
"refsource": "MISC",
"url": "https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284"
}
]
},
"source": {
"advisory": "GHSA-8fp4-rp6c-5gcv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43795",
"datePublished": "2021-12-02T18:00:11.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:03:08.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16771 (GCVE-0-2019-16771)
Vulnerability from nvd – Published: 2019-12-06 19:00 – Updated: 2024-08-05 01:24
VLAI
Title
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria
Summary
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.
Severity
4.8 (Medium)
CWE
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/line/armeria/security/advisori… | x_refsource_CONFIRM |
| https://github.com/line/armeria/commit/b597f7a865… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Armeria",
"vendor": "LINE",
"versions": [
{
"lessThan": "0.97.0",
"status": "affected",
"version": "\u003c 0.97.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-11T14:46:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20"
}
],
"source": {
"advisory": "GHSA-35fr-h7jr-hh86",
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027) in Armeria",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16771",
"STATE": "PUBLIC",
"TITLE": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027) in Armeria"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Armeria",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 0.97.0",
"version_value": "0.97.0"
}
]
}
}
]
},
"vendor_name": "LINE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86",
"refsource": "CONFIRM",
"url": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86"
},
{
"name": "https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20",
"refsource": "MISC",
"url": "https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20"
}
]
},
"source": {
"advisory": "GHSA-35fr-h7jr-hh86",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16771",
"datePublished": "2019-12-06T19:00:20.000Z",
"dateReserved": "2019-09-24T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:24:48.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2968 (GCVE-0-2015-2968)
Vulnerability from cvelistv5 – Published: 2023-10-31 09:29 – Updated: 2024-09-12 19:59
VLAI
Summary
LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Script injection
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LINE Corporation | LINE@ for Android |
Affected:
version 1.0.0
|
|
| LINE Corporation | LINE@ for iOS |
Affected:
version 1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:32:20.717Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://official-blog.line.me/ja/archives/36495925.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN22546110/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2015-2968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T14:29:06.309822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T19:59:35.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LINE@ for Android",
"vendor": "LINE Corporation",
"versions": [
{
"status": "affected",
"version": "version 1.0.0"
}
]
},
{
"product": "LINE@ for iOS",
"vendor": "LINE Corporation",
"versions": [
{
"status": "affected",
"version": "version 1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Script injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-31T09:29:06.710Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://official-blog.line.me/ja/archives/36495925.html"
},
{
"url": "https://jvn.jp/en/jp/JVN22546110/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2015-2968",
"datePublished": "2023-10-31T09:29:06.710Z",
"dateReserved": "2015-04-07T00:00:00.000Z",
"dateUpdated": "2024-09-12T19:59:35.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-0897 (GCVE-0-2015-0897)
Vulnerability from cvelistv5 – Published: 2023-10-31 09:28 – Updated: 2024-09-12 20:00
VLAI
Summary
LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Script injection
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LINE Corporation | LINE for Android |
Affected:
version 5.0.2 and earlier
|
|
| LINE Corporation | LINE for iOS |
Affected:
version 5.0.0 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:26:11.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://official-blog.line.me/ja/archives/24809761.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN41281927/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2015-0897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T15:23:24.014755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:00:26.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LINE for Android",
"vendor": "LINE Corporation",
"versions": [
{
"status": "affected",
"version": "version 5.0.2 and earlier"
}
]
},
{
"product": "LINE for iOS",
"vendor": "LINE Corporation",
"versions": [
{
"status": "affected",
"version": "version 5.0.0 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Script injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-31T09:28:50.586Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "http://official-blog.line.me/ja/archives/24809761.html"
},
{
"url": "https://jvn.jp/en/jp/JVN41281927/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2015-0897",
"datePublished": "2023-10-31T09:28:50.586Z",
"dateReserved": "2015-01-08T00:00:00.000Z",
"dateUpdated": "2024-09-12T20:00:26.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39731 (GCVE-0-2023-39731)
Vulnerability from cvelistv5 – Published: 2023-10-19 00:00 – Updated: 2024-09-13 14:45
VLAI
Summary
The leakage of the client secret in Kaibutsunosato v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-284 - Improper Access Control
Assigner
References
2 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:09.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39731.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://liff.line.me/1657662489-pwEQNzJ4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T14:44:07.505547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T14:45:41.724Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The leakage of the client secret in Kaibutsunosato v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T20:53:40.934Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/syz913/CVE-reports/blob/main/CVE-2023-39731.md"
},
{
"url": "https://liff.line.me/1657662489-pwEQNzJ4"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-39731",
"datePublished": "2023-10-19T00:00:00.000Z",
"dateReserved": "2023-08-07T00:00:00.000Z",
"dateUpdated": "2024-09-13T14:45:41.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38493 (GCVE-0-2023-38493)
Vulnerability from cvelistv5 – Published: 2023-07-25 20:51 – Updated: 2024-10-03 18:47
VLAI
Title
Paths contain matrix variables bypass decorators
Summary
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/line/armeria/security/advisori… | x_refsource_CONFIRM |
| https://github.com/line/armeria/commit/039db50bbf… | x_refsource_MISC |
| https://docs.spring.io/spring-framework/reference… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:55.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j"
},
{
"name": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07"
},
{
"name": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:linecorp:armeria:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "armeria",
"vendor": "linecorp",
"versions": [
{
"lessThan": "1.24.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T18:46:47.972990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T18:47:47.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "armeria",
"vendor": "line",
"versions": [
{
"status": "affected",
"version": "\u003c 1.24.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T20:51:11.170Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-wvp2-9ppw-337j"
},
{
"name": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/line/armeria/commit/039db50bbfc88014ea8737fd1e1ddd6fd3fc4f07"
},
{
"name": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/matrix-variables.html"
}
],
"source": {
"advisory": "GHSA-wvp2-9ppw-337j",
"discovery": "UNKNOWN"
},
"title": "Paths contain matrix variables bypass decorators"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38493",
"datePublished": "2023-07-25T20:51:11.170Z",
"dateReserved": "2023-07-18T16:28:12.076Z",
"dateUpdated": "2024-10-03T18:47:47.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43795 (GCVE-0-2021-43795)
Vulnerability from cvelistv5 – Published: 2021-12-02 18:00 – Updated: 2024-08-04 04:03
VLAI
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in com.linecorp.armeria:armeria
Summary
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.
Severity
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/line/armeria/security/advisori… | x_refsource_CONFIRM |
| https://github.com/line/armeria/pull/3855 | x_refsource_MISC |
| https://github.com/line/armeria/commit/e2697a575e… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/line/armeria/pull/3855"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "armeria",
"vendor": "line",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server\u0027s local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria\u0027s path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-02T18:00:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/line/armeria/pull/3855"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284"
}
],
"source": {
"advisory": "GHSA-8fp4-rp6c-5gcv",
"discovery": "UNKNOWN"
},
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in com.linecorp.armeria:armeria",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43795",
"STATE": "PUBLIC",
"TITLE": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in com.linecorp.armeria:armeria"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "armeria",
"version": {
"version_data": [
{
"version_value": "\u003c 1.13.4"
}
]
}
}
]
},
"vendor_name": "line"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server\u0027s local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria\u0027s path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv",
"refsource": "CONFIRM",
"url": "https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv"
},
{
"name": "https://github.com/line/armeria/pull/3855",
"refsource": "MISC",
"url": "https://github.com/line/armeria/pull/3855"
},
{
"name": "https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284",
"refsource": "MISC",
"url": "https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284"
}
]
},
"source": {
"advisory": "GHSA-8fp4-rp6c-5gcv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43795",
"datePublished": "2021-12-02T18:00:11.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:03:08.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16771 (GCVE-0-2019-16771)
Vulnerability from cvelistv5 – Published: 2019-12-06 19:00 – Updated: 2024-08-05 01:24
VLAI
Title
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria
Summary
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.
Severity
4.8 (Medium)
CWE
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/line/armeria/security/advisori… | x_refsource_CONFIRM |
| https://github.com/line/armeria/commit/b597f7a865… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Armeria",
"vendor": "LINE",
"versions": [
{
"lessThan": "0.97.0",
"status": "affected",
"version": "\u003c 0.97.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-11T14:46:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20"
}
],
"source": {
"advisory": "GHSA-35fr-h7jr-hh86",
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027) in Armeria",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16771",
"STATE": "PUBLIC",
"TITLE": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027) in Armeria"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Armeria",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 0.97.0",
"version_value": "0.97.0"
}
]
}
}
]
},
"vendor_name": "LINE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86",
"refsource": "CONFIRM",
"url": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86"
},
{
"name": "https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20",
"refsource": "MISC",
"url": "https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20"
}
]
},
"source": {
"advisory": "GHSA-35fr-h7jr-hh86",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16771",
"datePublished": "2019-12-06T19:00:20.000Z",
"dateReserved": "2019-09-24T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:24:48.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}