CVE-2018-20135

CWE-295Improper Certificate Validation3 documents3 sources
Severity
8.1HIGH
EPSS
1.0%
top 23.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Samsung Galaxy Apps
Timeline
PublishedJun 7
Latest updateMay 24

Description

Samsung Galaxy Apps before 4.4.01.7 allows modification of the hostname used for load balancing on installations of applications through a man-in-the-middle attack. An attacker may trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid SSL certificate, and emulate the API of the app store to modify existing apps at installation time. The specific flaw involves an HTTP method to obtain the load-balanced hostname that enforces SSL only after obtaining a hostn

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

NVDsamsung/galaxy_apps< 4.4.01.7

🔴Vulnerability Details

2
GHSA
GHSA-3wcx-33v7-xf78: Samsung Galaxy Apps before 42022-05-24
CVEList
CVE-2018-20135: Samsung Galaxy Apps before 42019-06-07
CVE-2018-20135 (HIGH CVSS 8.1) | Samsung Galaxy Apps before 4.4.01.7 | cvebase.io