CVE-2021-25525

Improper check or handling of exception conditions vulnerability in Samsung Pay (US only) prior to version 4.0.65 allows attacker to use NFC without user recognition.

CVSS v3 6.5 MEDIUM
CVSS v2.0 3.3 LOW

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

3.3^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 6.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:samsung:pay:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-12-08 15:15

Updated : 2021-12-13 14:40

NVD link : CVE-2021-25525

Mitre link : CVE-2021-25525

CVE.ORG link : CVE-2021-25525

JSON object : View

Products Affected

samsung

pay

CWE

CWE-754

Improper Check for Unusual or Exceptional Conditions

CWE-703

Improper Check or Handling of Exceptional Conditions

{"id": "CVE-2021-25525", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "mobile.security@samsung.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.0, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 0.4}]}, "published": "2021-12-08T15:15:08.827", "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12", "tags": ["Vendor Advisory"], "source": "mobile.security@samsung.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-754"}]}, {"type": "Secondary", "source": "mobile.security@samsung.com", "description": [{"lang": "en", "value": "CWE-703"}]}], "descriptions": [{"lang": "en", "value": "Improper check or handling of exception conditions vulnerability in Samsung Pay (US only) prior to version 4.0.65 allows attacker to use NFC without user recognition."}, {"lang": "es", "value": "Una vulnerabilidad de comprobaci\u00f3n o administraci\u00f3n inapropiada de las condiciones de excepci\u00f3n en Samsung Pay (US only) versiones anteriores a 4.0.65, permite al atacante usar NFC sin el reconocimiento del usuario"}], "lastModified": "2021-12-13T14:40:36.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:samsung:pay:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEF979F8-567C-49FD-9BDF-1C6714EC6619", "versionEndExcluding": "4.0.65"}], "operator": "OR"}]}], "sourceIdentifier": "mobile.security@samsung.com"}