Multiple vulnerabilities in Retty App
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-20747 CVE-2021-20748 |
| CWE-ID | CWE-939 CWE-798 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Retty App for Android Mobile applications / Apps for mobile phones Retty App for iOS Mobile applications / Apps for mobile phones |
| Vendor |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper Authorization in Handler for Custom URL Scheme
EUVDB-ID: #VU54859
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20747
CWE-ID:
CWE-939 - Improper Authorization in Handler for Custom URL Scheme
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected app is launched by Custom URL Scheme. A remote attacker can trick a victim to access an arbitrary URL.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRetty App for Android: before 4.8.13
Retty App for iOS: before 4.11.14
External linkshttp://jvn.jp/en/jp/JVN26891339/index.html
http://drive.google.com/file/d/1PBYqIsK8QxEEhGJ4SEgpY7iZw3RTTDho/view
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use of hard-coded credentials
EUVDB-ID: #VU54860
Risk: Low
CVSSv3.1: 3.5 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20748
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A local attacker can analyze the data in the App and obtain the API key for external services.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRetty App for Android: before 4.8.13
Retty App for iOS: before 4.11.14
External linkshttp://jvn.jp/en/jp/JVN26891339/index.html
http://drive.google.com/file/d/1PBYqIsK8QxEEhGJ4SEgpY7iZw3RTTDho/view
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
