Japan Vulnerability NotesJVN:55045256JVN#55045256: Multiple vulnerabilities in "FreeFrom - the nostr client" App
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
“FreeFrom - the nostr client” App provided by FreeFrom K.K. contains multiple vulnerabilities listed below.
Improper verification of cryptographic signature (CWE-347) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 5.3 CVE-2024-36277Reliance on obfuscation or encryption of security-relevant inputs without integrity checking (CWE-649)CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 5.3 CVE-2024-36279Reusing a nonce, key pair in encryption (CWE-323) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3 CVE-2024-36289
Impact
- The affected app cannot detect event data with invalid signatures (CVE-2024-36277)
- The content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack (CVE-2024-36279, CVE-2024-36289)
Solution
Update the application
Update the application to the latest version according to the information provided by the developer.
Products Affected
- “FreeFrom - the nostr client” App for Android versions prior to 1.3.5
- “FreeFrom - the nostr client” App for iOS versions prior to 1.3.5
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low