MidnightBSD

Advisories for juiker

CVE-2014-6693 MEDIUM

The Juiker (aka org.itri) application 3.2.0829.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
juiker juiker 3.2.0829.1
CVE-2022-38117

Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users’ ciphertext and tamper with it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 0.9 5.2
twcert@cert.org.tw 5.5 MEDIUM CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N 0.3 5.2

Products Affected

Vendor Product Version
juiker juiker 4.6.0311.1
CVE-2022-39043

Juiker app stores debug logs which contains sensitive information to mobile external storage. An unauthenticated physical attacker can access these files to acquire partial user information such as personal contacts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 2.4 LOW CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 0.9 1.4

Products Affected

Vendor Product Version
juiker juiker 4.6.0607.1