Details of VAR-202305-2534

ID

VAR-202305-2534

CVE

CVE-2023-21514

TITLE

Samsung's Galaxy Store Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-007563

DESCRIPTION

Improper scheme validation from InstantPlay Deeplink in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store. Samsung's Galaxy Store There is an input validation vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S22 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the InstantPlaysDeepLink class. The issue results from a permissive list of allowed inputs. An attacker can leverage this vulnerability to execute code in the context of the current user

Trust: 2.34

sources: NVD: CVE-2023-21514 // JVNDB: JVNDB-2023-007563 // ZDI: ZDI-23-773 // VULMON: CVE-2023-21514

AFFECTED PRODUCTS

vendor:	samsung	model:	galaxy store	scope:	lt	version:	4.5.49.8	Trust: 1.0
vendor:	サムスン	model:	galaxy store	scope:	eq	version:	-	Trust: 0.8
vendor:	サムスン	model:	galaxy store	scope:	eq	version:	4.5.49.8	Trust: 0.8
vendor:	サムスン	model:	galaxy store	scope:	-	version:	-	Trust: 0.8
vendor:	samsung	model:	galaxy s22	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-23-773 // JVNDB: JVNDB-2023-007563 // NVD: CVE-2023-21514

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2023-21514
value:	HIGH
Trust: 1.8
mobile.security@samsung.com:	CVE-2023-21514
value:	HIGH
Trust: 1.0
ZDI:	CVE-2023-21514
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-202305-2314
value:	HIGH
Trust: 0.6

NVD:
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
mobile.security@samsung.com:
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-21514
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2023-21514
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-773 // JVNDB: JVNDB-2023-007563 // NVD: CVE-2023-21514 // NVD: CVE-2023-21514 // CNNVD: CNNVD-202305-2314

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.0
problemtype:	Inappropriate input confirmation (CWE-20) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-007563 // NVD: CVE-2023-21514

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202305-2314

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202305-2314

CONFIGURATIONS

sources: NVD: CVE-2023-21514

PATCH

title:	Samsung has issued an update to correct this vulnerability.	url:	https://security.samsungmobile.com/serviceweb.smsb	Trust: 0.7
title:	SAMSUNG Mobile devices Enter the fix for the verification error vulnerability	url:	http://123.124.177.30/web/xxk/bdxqbyid.tag?id=242471	Trust: 0.6

sources: ZDI: ZDI-23-773 // CNNVD: CNNVD-202305-2314

EXTERNAL IDS

db:	NVD	id:	CVE-2023-21514	Trust: 4.0
db:	JVNDB	id:	JVNDB-2023-007563	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-19751	Trust: 0.7
db:	ZDI	id:	ZDI-23-773	Trust: 0.7
db:	CNNVD	id:	CNNVD-202305-2314	Trust: 0.6
db:	VULMON	id:	CVE-2023-21514	Trust: 0.1

sources: ZDI: ZDI-23-773 // VULMON: CVE-2023-21514 // JVNDB: JVNDB-2023-007563 // NVD: CVE-2023-21514 // CNNVD: CNNVD-202305-2314

REFERENCES

url:	https://security.samsungmobile.com/serviceweb.smsb?year=2023&month=01	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2023-21514	Trust: 0.8
url:	https://security.samsungmobile.com/serviceweb.smsb	Trust: 0.7
url:	https://cxsecurity.com/cveshow/cve-2023-21514/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: ZDI: ZDI-23-773 // VULMON: CVE-2023-21514 // JVNDB: JVNDB-2023-007563 // NVD: CVE-2023-21514 // CNNVD: CNNVD-202305-2314

CREDITS

Chim

Trust: 0.7

sources: ZDI: ZDI-23-773

SOURCES

db:	ZDI	id:	ZDI-23-773
db:	VULMON	id:	CVE-2023-21514
db:	JVNDB	id:	JVNDB-2023-007563
db:	NVD	id:	CVE-2023-21514
db:	CNNVD	id:	CNNVD-202305-2314

LAST UPDATE DATE

2023-12-18T13:00:08.151000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-773	date:	2023-05-31T00:00:00
db:	VULMON	id:	CVE-2023-21514	date:	2023-05-26T00:00:00
db:	JVNDB	id:	JVNDB-2023-007563	date:	2023-11-22T08:11:00
db:	NVD	id:	CVE-2023-21514	date:	2023-06-21T15:18:17.423
db:	CNNVD	id:	CNNVD-202305-2314	date:	2023-06-25T00:00:00

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-773	date:	2023-05-31T00:00:00
db:	VULMON	id:	CVE-2023-21514	date:	2023-05-26T00:00:00
db:	JVNDB	id:	JVNDB-2023-007563	date:	2023-11-22T00:00:00
db:	NVD	id:	CVE-2023-21514	date:	2023-05-26T22:15:14.377
db:	CNNVD	id:	CNNVD-202305-2314	date:	2023-05-26T00:00:00