CVE-2020-5523 — HIGH (7.4) — White Hats Nepal

Q: How severe is CVE-2020-5523?

CVE-2020-5523 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-5523?

Check the references section above for vendor advisories and patch information. Affected products include: 77Bank 77 Bank, Ashikagabank Ashigin, Hokkaidobank Dogin, Hokugin Hokuriku Bank Portal, Naganobank Nagagin.

Vulnerability Description

Android App 'MyPallete' and some of the Android banking applications based on 'MyPallete' do not verify X.509 certificates from servers, and also do not properly validate certificates with host-mismatch, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
77Bank	77 Bank	<= 2.0.1
Ashikagabank	Ashigin	<= 1.0.4
Hokkaidobank	Dogin	<= 3.0.1
Hokugin	Hokuriku Bank Portal	<= 2.0.1
Naganobank	Nagagin	<= 1.0.1
Nttdata	Mypallete	-
Shikokubank	Shikoku Bank	<= 2.0.1
Sihd-Bk	Ikeda Senshu Bank	<= 3.0.4
Tohoku-Bank	Tougin	<= 1.0.1

Related Weaknesses (CWE)

CWE-295

References

http://jvn.jp/en/jp/JVN28845872/index.htmlThird Party Advisory
http://www.dokodemobank.ne.jp/info_20200128_bankingapp.htmlThird Party Advisory
https://www.77bank.co.jp/pdf/oshirase/20012801_appvulnerability.pdfThird Party Advisory
https://www.ashikagabank.co.jp/appbanking/pdf/oshirase.pdfThird Party Advisory
https://www.hokkaidobank.co.jp/common/dat/2020/0120/15795047141946146699.pdfThird Party Advisory
https://www.hokugin.co.jp/info/archives/personal/2020/1913.htmlThird Party Advisory
https://www.naganobank.co.jp/soshiki/2/app-ssl.htmlThird Party Advisory
https://www.shikokubank.co.jp/info/apps20200128.htmlThird Party Advisory
https://www.sihd-bk.jp/common_v2/pdf/20200127.pdfThird Party Advisory
https://www.tohoku-bank.co.jp/news/topics/200128_applissl.htmlThird Party Advisory
http://jvn.jp/en/jp/JVN28845872/index.htmlThird Party Advisory
http://www.dokodemobank.ne.jp/info_20200128_bankingapp.htmlThird Party Advisory
https://www.77bank.co.jp/pdf/oshirase/20012801_appvulnerability.pdfThird Party Advisory
https://www.ashikagabank.co.jp/appbanking/pdf/oshirase.pdfThird Party Advisory
https://www.hokkaidobank.co.jp/common/dat/2020/0120/15795047141946146699.pdfThird Party Advisory

FAQ

What is CVE-2020-5523?

CVE-2020-5523 is a vulnerability with a CVSS score of 7.4 (HIGH). Android App 'MyPallete' and some of the Android banking applications based on 'MyPallete' do not verify X.509 certificates from servers, and also do not properly validate certificates with host-mismat...

How severe is CVE-2020-5523?

CVE-2020-5523 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-5523?

Check the references section above for vendor advisories and patch information. Affected products include: 77Bank 77 Bank, Ashikagabank Ashigin, Hokkaidobank Dogin, Hokugin Hokuriku Bank Portal, Naganobank Nagagin.