Headline
CVE-2021-20873: Android Apps developed using Yappli fails to restrict custom URL schemes properly
Yappli is an application development platform which provides the function to access a requested URL using Custom URL Scheme. When Android apps are developed with Yappli versions since v7.3.6 and prior to v9.30.0, they are vulnerable to improper authorization in Custom URL Scheme handler, and may be directed to unintended sites via a specially crafted URL.
Published:2021/12/22 Last Updated:2021/12/22
Overview
Android Apps developed using Yappli fails to restrict custom URL schemes properly.
Products Affected
- Android Apps that are developed in Yappli since v7.3.6 and prior to v9.30.0
Description
Yappli provided by Yappli, Inc. is an application development platform.
Android Apps that are developed with Yappli provide the function to access a requested URL using Custom URL Scheme.
The access to the function is not restricted properly (CWE-939) which may be exploited to direct the App to connect to unintended sites.
Impact
When accessing a malicious website containing a specially crafted URL, the vulnerable app may be directed to connect to some unintended site.
As a result, the app’s internal information may be leaked and/or altered.
Solution
Solution for developers of affected applications
Rebuild the application in the latest development environment. Until the rebuilt version is published, remove the affected version from an application store.
Solution for users of affected applications
Please inquire the application developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector(AV)
Physical §
Local (L)
Adjacent (A)
Network (N)
Attack Complexity(AC)
High (H)
Low (L)
Privileges Required(PR)
High (H)
Low (L)
None (N)
User Interaction(UI)
Required ®
None (N)
Scope(S)
Unchanged (U)
Changed ©
Confidentiality Impact©
None (N)
Low (L)
High (H)
Integrity Impact(I)
None (N)
Low (L)
High (H)
Availability Impact(A)
None (N)
Low (L)
High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector(AV)
Local (L)
Adjacent Network (A)
Network (N)
Access Complexity(AC)
High (H)
Medium (M)
Low (L)
Authentication(Au)
Multiple (M)
Single (S)
None (N)
Confidentiality Impact©
None (N)
Partial §
Complete ©
Integrity Impact(I)
None (N)
Partial §
Complete ©
Availability Impact(A)
None (N)
Partial §
Complete ©
Comment
"Integrity(I)" is the primary impact, alteration of the application’s access destination,
whereas “Confidentiality©” and "Availability(A)" are the secondary impacts.
Credit
RyotaK reported and coordinated with the developer to fix this vulnerability.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
Other Information