CVE-2021-41849

An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It sends the following Personally Identifiable Information (PII) in plaintext using HTTP to servers located in China: user's list of installed apps and device International Mobile Equipment Identity (IMEI). This PII is transmitted to log.skyroam.com.cn using HTTP, independent of whether the user uses the Simo software.

CVSS v3.0 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://athack.com/session-details/401	Third Party Advisory
https://www.kryptowire.com/android-firmware-2022/	Broken Link
https://simowireless.com/	Vendor Advisory
https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/	Exploit Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:bluproducts:g90_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:bluproducts:g90:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:bluproducts:g9_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:bluproducts:g9:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:wikomobile:tommy_3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:wikomobile:tommy_3:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:wikomobile:tommy_3_plus_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:wikomobile:tommy_3_plus:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:luna:simo_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:luna:simo:-:*:*:*:*:*:*:*

Information

Published : 2022-03-11 15:15

Updated : 2022-03-18 14:00

NVD link : CVE-2021-41849

Mitre link : CVE-2021-41849

JSON object : View

CWE

CWE-319

Cleartext Transmission of Sensitive Information

Advertisement

Products Affected

wikomobile

tommy_3
tommy_3_firmware
tommy_3_plus
tommy_3_plus_firmware

bluproducts

g90_firmware
g9_firmware
g9
g90

luna

simo_firmware
simo

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://athack.com/session-details/401", "name": "https://athack.com/session-details/401", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://www.kryptowire.com/android-firmware-2022/", "name": "https://www.kryptowire.com/android-firmware-2022/", "tags": ["Broken Link"], "refsource": "MISC"}, {"url": "https://simowireless.com/", "name": "https://simowireless.com/", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/", "name": "https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It sends the following Personally Identifiable Information (PII) in plaintext using HTTP to servers located in China: user's list of installed apps and device International Mobile Equipment Identity (IMEI). This PII is transmitted to log.skyroam.com.cn using HTTP, independent of whether the user uses the Simo software."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-319"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-41849", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "LOW", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}}, "publishedDate": "2022-03-11T23:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:bluproducts:g90_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:bluproducts:g90:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:bluproducts:g9_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:bluproducts:g9:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:wikomobile:tommy_3_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:wikomobile:tommy_3:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:wikomobile:tommy_3_plus_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:wikomobile:tommy_3_plus:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:luna:simo_firmware:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:luna:simo:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-03-18T21:00Z"}