FKIE_CVE-2014-6611

Vulnerability from fkie_nvd - Published: 2014-10-25 10:55 - Updated: 2026-05-06 22:30
Severity ?
Summary
The BlackBerry World app before 5.0.0.262 on BlackBerry 10 OS 10.2.0, before 5.0.0.263 on BlackBerry 10 OS 10.2.1, and before 5.1.0.53 on BlackBerry 10 OS 10.3.0 does not properly validate download/update requests, which allows user-assisted man-in-the-middle attackers to spoof servers and trigger the download of a crafted app by modifying the client-server data stream.
References
cve@mitre.orghttp://secunia.com/advisories/61013
cve@mitre.orghttp://www.blackberry.com/btsc/kb36360Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/61013
af854a3a-2127-422b-91ae-364da2661108http://www.blackberry.com/btsc/kb36360Vendor Advisory
Impacted products
Vendor Product Version
blackberry blackberry_world *
blackberry blackberry_os 10.3.0
blackberry blackberry_world *
blackberry blackberry_os 10.2.1
blackberry blackberry_world *
blackberry blackberry_os 10.2.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:blackberry:blackberry_world:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E80CAE1-33F2-4E2F-84D5-09D55E911812",
              "versionEndIncluding": "5.1.0.52",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:blackberry:blackberry_os:10.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "43261390-B10E-452D-9274-9ECA5925AF09",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:blackberry:blackberry_world:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "58F89E3E-43FE-4D2F-A0DE-98AC2D45F6BD",
              "versionEndIncluding": "5.0.0.262",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:blackberry:blackberry_os:10.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "2621E2FD-B7A7-4B88-9E65-975002C7ED55",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:blackberry:blackberry_world:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "33A119CA-0D43-4332-AE52-7420C5E83835",
              "versionEndIncluding": "5.0.0.261",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:blackberry:blackberry_os:10.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E1217750-76BC-4CC1-AA35-4C93BB53F253",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The BlackBerry World app before 5.0.0.262 on BlackBerry 10 OS 10.2.0, before 5.0.0.263 on BlackBerry 10 OS 10.2.1, and before 5.1.0.53 on BlackBerry 10 OS 10.3.0 does not properly validate download/update requests, which allows user-assisted man-in-the-middle attackers to spoof servers and trigger the download of a crafted app by modifying the client-server data stream."
    },
    {
      "lang": "es",
      "value": "La aplicaci\u00f3n BlackBerry World anterior a 5.0.0.262 en BlackBerry 10 OS 10.2.0, anterior a 5.0.0.263 en BlackBerry 10 OS 10.2.1, y anterior a 5.1.0.53 en BlackBerry 10 OS 10.3.0 no valida debidamente las solicitudes de descarga de actualizaciones, lo que permite a atacantes man-in-the-middle asistidos por usuarios suplantar servidores y provocar la descarga de una aplicaci\u00f3n manipulada mediante la modificaci\u00f3n del flujo de datos del servidor cliente."
    }
  ],
  "id": "CVE-2014-6611",
  "lastModified": "2026-05-06T22:30:45.220",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-10-25T10:55:06.743",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/61013"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.blackberry.com/btsc/kb36360"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/61013"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.blackberry.com/btsc/kb36360"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.