Vulnerability-Lookup - Search a vulnerability

Refine your search

Product

Sort by

Order

Sources

1 vulnerability found for trainserviceinfo by East Japan Railway Company

jvndb-2019-000021

Vulnerability from jvndb

Published

2019-04-01 15:42

Modified

2019-04-01 15:42

Severity ?

6.5 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

API server used by JR East Japan train operation information push notification App for Android fails to restrict access permissions

Details

JR East Japan train operation information push notification App for Android provided by East Japan Railway Company fails to restrict access permissions (CWE-284). The application is no longer available/supported, and its service was ended in 2019 march 23. Tomoya Takahashi of TCU Communication engineering Club reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN01119243/index.html
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5954
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-5954
	Permissions(CWE-264)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

East Japan Railway Company

trainserviceinfo

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000021.html",
  "dc:date": "2019-04-01T15:42+09:00",
  "dcterms:issued": "2019-04-01T15:42+09:00",
  "dcterms:modified": "2019-04-01T15:42+09:00",
  "description": "JR East Japan train operation information push notification App for Android provided by East Japan Railway Company fails to restrict access permissions (CWE-284).\r\n The application is no longer available/supported, and its service was ended in 2019 march 23.\r\n\r\nTomoya Takahashi of TCU Communication engineering Club reported this vulnerability to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000021.html",
  "sec:cpe": {
    "#text": "cpe:/a:jreast:jreast_trainserviceinfo",
    "@product": "trainserviceinfo",
    "@vendor": "East Japan Railway Company",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "6.4",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "6.5",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2019-000021",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN01119243/index.html",
      "@id": "JVN#01119243",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5954",
      "@id": "CVE-2019-5954",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5954",
      "@id": "CVE-2019-5954",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-264",
      "@title": "Permissions(CWE-264)"
    }
  ],
  "title": "API server used by JR East Japan train operation information push notification App for Android fails to restrict access permissions"
}