Lucene search

[email protected]CVE-2022-43543

HistoryDec 21, 2022 - 9:15 a.m.

CVE-2022-43543

2022-12-2109:15:07

[email protected]

web.nvd.nist.gov

cve-2022-43543

vulnerability

kddi

ntt docomo

softbank

+message app

android

ios

unicode control characters

phishing

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.0%

JSON

KDDI +Message App, NTT DOCOMO +Message App, and SoftBank +Message App contain a vulnerability caused by improper handling of Unicode control characters. +Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character’s specifications. Therefore, a crafted text may display misleading web links. As a result, a spoofed URL may be displayed and phishing attacks may be conducted. Affected products and versions are as follows: KDDI +Message App for Android prior to version 3.9.2 and +Message App for iOS prior to version 3.9.4, NTT DOCOMO +Message App for Android prior to version 54.49.0500 and +Message App for iOS prior to version 3.9.4, and SoftBank +Message App for Android prior to version 12.9.5 and +Message App for iOS prior to version 3.9.4

Affected configurations

Vulners

NVD

Node

kddi_corporation\,_ntt_docomo\,_inc.\,_and_softbank_corp.kddi_\+message_app_for_android_and_for_ios\,_ntt_docomo_\+message_app_for_android_and_for_ios\,_and_softbank_\+message_app_for_android_and_for_iosRange<3.9.2

CPENameOperatorVersion
docomo:\+_messagedocomo + messagelt3.9.4
docomo:\+_messagedocomo + messagelt54.49.0500
kddi:\+_messagekddi + messagelt3.9.2
kddi:\+_messagekddi + messagelt3.9.4
softbank:\+_messagesoftbank + messagelt3.9.4
softbank:\+_messagesoftbank + messagelt12.9.5

CPE	Name	Operator	Version
docomo:\+_message	docomo + message	lt	3.9.4
docomo:\+_message	docomo + message	lt	54.49.0500
kddi:\+_message	kddi + message	lt	3.9.2
kddi:\+_message	kddi + message	lt	3.9.4
softbank:\+_message	softbank + message	lt	3.9.4
softbank:\+_message	softbank + message	lt	12.9.5

CNA Affected

[
  {
    "vendor": "KDDI CORPORATION, NTT DOCOMO, INC., and SoftBank Corp.",
    "product": "KDDI +Message App for Android and for iOS, NTT DOCOMO +Message App for Android and for iOS, and SoftBank +Message App for Android and for iOS",
    "versions": [
      {
        "version": "KDDI +Message App for Android prior to version 3.9.2 and +Message App for iOS prior to version 3.9.4, NTT DOCOMO +Message App for Android prior to version 54.49.0500 and +Message App for iOS prior to version 3.9.4, and SoftBank +Message App for Android prior to version 12.9.5 and +Message App for iOS prior to version 3.9.4",
        "status": "affected"
      }
    ]
  }
]

References

jvn.jp/en/jp/JVN43561812/index.html

www.au.com/mobile/service/plus-message/information/

www.docomo.ne.jp/service/plus_message/

www.softbank.jp/mobile/service/plus-message/

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.0%

JSON

Related for CVE-2022-43543

jvn1 prion1 nvd1 cvelist1