CVE-2021-25374

An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://security.samsungmobile.com/	Vendor Advisory
https://security.samsungmobile.com/serviceWeb.smsb	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:samsung:members:*:*:*:*:*:*:*:*

cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:a:samsung:members:*:*:*:*:*:*:*:*

cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*

History

14 Jul 2022, 15:44

Type	Values Removed	Values Added
CWE	~~CWE-863~~	NVD-CWE-Other

21 Apr 2021, 18:02

Type	Values Removed	Values Added
CWE		CWE-863
References	~~(CONFIRM) https://security.samsungmobile.com/ -~~	(CONFIRM) https://security.samsungmobile.com/ - Vendor Advisory
References	~~(CONFIRM) https://security.samsungmobile.com/serviceWeb.smsb -~~	(CONFIRM) https://security.samsungmobile.com/serviceWeb.smsb - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 7.5
CPE		cpe:2.3:o:google:android:8.1:::::::* cpe:2.3:o:google:android:9.0:::::::* cpe:2.3:a:samsung:members::::::::

09 Apr 2021, 18:54

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-04-09 18:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-25374

Mitre link : CVE-2021-25374

CVE.ORG link : CVE-2021-25374

JSON object : View

Products Affected

google

android

samsung

members

CWE

NVD-CWE-Other CWE-285

Improper Authorization

{"id": "CVE-2021-25374", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "mobile.security@samsung.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2021-04-09T18:15:15.100", "references": [{"url": "https://security.samsungmobile.com/", "tags": ["Vendor Advisory"], "source": "mobile.security@samsung.com"}, {"url": "https://security.samsungmobile.com/serviceWeb.smsb", "tags": ["Vendor Advisory"], "source": "mobile.security@samsung.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "mobile.security@samsung.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability in Samsung Members \"samsungrewards\" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account."}, {"lang": "es", "value": "Una vulnerabilidad de autorizaci\u00f3n inapropiada en el esquema \"samsungrewards\" de Samsung Members para deeplink en versiones 2.4.83.9 en Android O(8.1) y por debajo y versiones 3.9.00.9 en Android P(9.0) y superiores, permite a atacantes remotos acceder a datos de usuario relacionados con Samsung Account"}], "lastModified": "2022-07-14T15:44:12.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:samsung:members:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4702C92-F06E-4732-8DA5-B28FBDA5DF51", "versionEndIncluding": "2.4.83.9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B06BE74B-83F4-41A3-8AD3-2E6248F7B0B2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:samsung:members:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47075F11-E4BB-41EA-B107-BF975F280EE0", "versionStartIncluding": "3.9.00.9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8DFAAD08-36DA-4C95-8200-C29FE5B6B854"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "mobile.security@samsung.com"}