Details of VAR-202305-2448

ID

VAR-202305-2448

CVE

CVE-2023-21515

TITLE

Samsung's Galaxy Store Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-007562

DESCRIPTION

InstantPlay which included vulnerable script which could execute javascript in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store. Samsung's Galaxy Store Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S22 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the McsWebViewActivity class. The issue results from a permissive list of allowed inputs. An attacker can leverage this vulnerability to execute code in the context of the current user

Trust: 2.34

sources: NVD: CVE-2023-21515 // JVNDB: JVNDB-2023-007562 // ZDI: ZDI-23-772 // VULMON: CVE-2023-21515

AFFECTED PRODUCTS

vendor:	samsung	model:	galaxy store	scope:	lt	version:	4.5.49.8	Trust: 1.0
vendor:	サムスン	model:	galaxy store	scope:	eq	version:	-	Trust: 0.8
vendor:	サムスン	model:	galaxy store	scope:	eq	version:	4.5.49.8	Trust: 0.8
vendor:	サムスン	model:	galaxy store	scope:	-	version:	-	Trust: 0.8
vendor:	samsung	model:	galaxy s22	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-23-772 // JVNDB: JVNDB-2023-007562 // NVD: CVE-2023-21515

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2023-21515
value:	HIGH
Trust: 1.8
mobile.security@samsung.com:	CVE-2023-21515
value:	HIGH
Trust: 1.0
ZDI:	CVE-2023-21515
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-202305-2313
value:	HIGH
Trust: 0.6

NVD:
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
mobile.security@samsung.com:
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-21515
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2023-21515
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-772 // JVNDB: JVNDB-2023-007562 // NVD: CVE-2023-21515 // NVD: CVE-2023-21515 // CNNVD: CNNVD-202305-2313

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-007562 // NVD: CVE-2023-21515

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202305-2313

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202305-2313

CONFIGURATIONS

sources: NVD: CVE-2023-21515

PATCH

title:	Samsung has issued an update to correct this vulnerability.	url:	https://security.samsungmobile.com/serviceweb.smsb	Trust: 0.7
title:	SAMSUNG Mobile devices Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqbyid.tag?id=240241	Trust: 0.6

sources: ZDI: ZDI-23-772 // CNNVD: CNNVD-202305-2313

EXTERNAL IDS

db:	NVD	id:	CVE-2023-21515	Trust: 4.0
db:	JVNDB	id:	JVNDB-2023-007562	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-19585	Trust: 0.7
db:	ZDI	id:	ZDI-23-772	Trust: 0.7
db:	CNNVD	id:	CNNVD-202305-2313	Trust: 0.6
db:	VULMON	id:	CVE-2023-21515	Trust: 0.1

sources: ZDI: ZDI-23-772 // VULMON: CVE-2023-21515 // JVNDB: JVNDB-2023-007562 // NVD: CVE-2023-21515 // CNNVD: CNNVD-202305-2313

REFERENCES

url:	https://security.samsungmobile.com/serviceweb.smsb?year=2023&month=01	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2023-21515	Trust: 0.8
url:	https://security.samsungmobile.com/serviceweb.smsb	Trust: 0.7
url:	https://cxsecurity.com/cveshow/cve-2023-21515/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: ZDI: ZDI-23-772 // VULMON: CVE-2023-21515 // JVNDB: JVNDB-2023-007562 // NVD: CVE-2023-21515 // CNNVD: CNNVD-202305-2313

CREDITS

Interrupt Labs

Trust: 0.7

sources: ZDI: ZDI-23-772

SOURCES

db:	ZDI	id:	ZDI-23-772
db:	VULMON	id:	CVE-2023-21515
db:	JVNDB	id:	JVNDB-2023-007562
db:	NVD	id:	CVE-2023-21515
db:	CNNVD	id:	CNNVD-202305-2313

LAST UPDATE DATE

2023-12-18T13:06:01.882000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-772	date:	2023-05-31T00:00:00
db:	VULMON	id:	CVE-2023-21515	date:	2023-05-26T00:00:00
db:	JVNDB	id:	JVNDB-2023-007562	date:	2023-11-22T08:10:00
db:	NVD	id:	CVE-2023-21515	date:	2023-06-03T03:42:38.067
db:	CNNVD	id:	CNNVD-202305-2313	date:	2023-06-05T00:00:00

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-772	date:	2023-05-31T00:00:00
db:	VULMON	id:	CVE-2023-21515	date:	2023-05-26T00:00:00
db:	JVNDB	id:	JVNDB-2023-007562	date:	2023-11-22T00:00:00
db:	NVD	id:	CVE-2023-21515	date:	2023-05-26T22:15:14.530
db:	CNNVD	id:	CNNVD-202305-2313	date:	2023-05-26T00:00:00