Weak cryptographic algorithm in Musicshelf
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-2365 |
| CWE-ID | CWE-327 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Musicshelf Mobile applications / Apps for mobile phones |
| Vendor | Kirill Makarov |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Use of a broken or risky cryptographic algorithm
EUVDB-ID: #VU106950
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-2365
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to software uses a weak SHA-1 Message_Digest algorithm within the IsValidPin() function in io\fabric\sdk\android\services\network\PinningTrustManager.java. An attacker with physical access to the system can bypass SSL pinning protection and intercept traffic sent by the application.
Install updates from vendor's website.
Vulnerable software versionsMusicshelf: 1.0 - 1.1
CPE2.3- cpe:2.3:a:kirillmakarov:musicshelf:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:kirillmakarov:musicshelf:1.1:*:*:*:*:*:*:*
https://github.com/ctflearner/Android_Findings/blob/main/Musicshelf/Weak_Hashing_Algorithms.md
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
