Vulnerability Description
Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mifos | Mifos-Mobile | < 2021-03-14 |
Related Weaknesses (CWE)
References
- https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfPatchThird Party Advisory
- https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvxPatchThird Party Advisory
- https://openmf.github.io/mobileapps.github.io/ProductThird Party Advisory
- https://github.com/openMF/mifos-mobile/commit/e505f62b92b19292bfdabd6e996ab76abfPatchThird Party Advisory
- https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvxPatchThird Party Advisory
- https://openmf.github.io/mobileapps.github.io/ProductThird Party Advisory
FAQ
What is CVE-2021-21385?
CVE-2021-21385 is a vulnerability with a CVSS score of 8.8 (HIGH). Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its H...
How severe is CVE-2021-21385?
CVE-2021-21385 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21385?
Check the references section above for vendor advisories and patch information. Affected products include: Mifos Mifos-Mobile.