PT-2021-11760 · Uti · Uti Mutual Fund Android Application

Tejas Nitin Pingulkar

Published

2021-12-23

Updated

2021-12-29

CVE-2020-35398

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: UTI Mutual fund Android application versions 5.4.18 and prior

Description: An issue in the UTI Mutual fund Android application allows attackers to brute force enumeration of usernames determined by the error message returned after invalid credentials are attempted.

Recommendations: For versions 5.4.18 and prior, consider implementing rate limiting or IP blocking to prevent brute force attacks, and modify the error message to not disclose whether the username is valid or not. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

CVE-2020-35398

Affected Products

Uti Mutual Fund Android Application

PT-2021-11760 · Uti · Uti Mutual Fund Android Application

CVE-2020-35398

Weakness Enumeration

Related Identifiers

Affected Products

References · 4