Design/Logic Flaw

2012-10-2417:55:00

PRIOn knowledge base

www.prio-n.com

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.9%

JSON

The Zoner AntiVirus Free application for Android does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, as demonstrated by a server used for updating virus signature files.

CPENameOperatorVersion
zoner_antivirus_freeeq1.7.0

CPE	Name	Operator	Version
	zoner_antivirus_free	eq	1.7.0

References

www.securityfocus.com/bid/56292

www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf

exchange.xforce.ibmcloud.com/vulnerabilities/79591