CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13435
https://notcve.org/view.php?id=CVE-2018-13435
An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes iOS devices on which a jailbreak has occurred ** EN DISPUTA ** Se ha descubierto un problema en la aplicación LINE jp.naver.line 8.8.0 para iOS. La característica Passcode permite la omisión de autenticación mediante la manipulación del tiempo de ejecución que fuerza a un determinado método a deshabilitar la autenticación de código de acceso. NOTA: el fabricante indica que esto no es un ataque de interés en el contexto del modelo de amenazas, lo que excluye a los dispositivos iOS que tienen jailbreak. • https://gist.github.com/tanprathan/19165c43ade898ab8b664098fb171f49 • CWE-287: Improper Authentication •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13434
https://notcve.org/view.php?id=CVE-2018-13434
An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The LAContext class for Biometric (TouchID) validation allows authentication bypass by overriding the LAContext return Boolean value to be "true" because the kSecAccessControlUserPresence protection mechanism is not used. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes iOS devices on which a jailbreak has occurred ** EN DISPUTA ** Se ha descubierto un problema en la aplicación LINE jp.naver.line 8.8.0 para iOS. La clase LAContext para la validación biométrica (TouchID) permite la omisión de autenticación sustituyendo el valor boleano de retorno de LAContext por "true" dado que el mecanismo de protección kSecAccessControlUserPresence no se utiliza. • https://gist.github.com/tanprathan/f5133651e438b2ad1b39172d52b56115 • CWE-287: Improper Authentication •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13446
https://notcve.org/view.php?id=CVE-2018-13446
An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred ** EN DISPUTA ** Se ha descubierto un problema en la aplicación LINE jp.naver.line 8.8.1 para Android. La característica Passcode permite la omisión de autenticación mediante la manipulación del tiempo de ejecución que fuerza que el valor de retorno de un determinado método sea "true". • https://gist.github.com/tanprathan/efde53e5b312f50edb08f050b6be3928 • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0609
https://notcve.org/view.php?id=CVE-2018-0609
Untrusted search path vulnerability in LINE for Windows versions before 5.8.0 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Una vulnerabilidad de ruta de búsqueda no fiable en LINE for Windows en versiones anteriores a la 5.8.0 permite que un atacante consiga privilegios utilizando un archivo DLL troyano en un directorio no especificado. • http://jvn.jp/en/jp/JVN92265618/index.html https://linecorp.com/en/security/article/172 • CWE-426: Untrusted Search Path •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0518
https://notcve.org/view.php?id=CVE-2018-0518
LINE for iOS version 7.1.3 to 7.1.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. LINE para iOS, en versiones 7.1.3 a 7.1.5, no verifica los certificados X.509 de los servidores SSL, lo que permite que los atacantes Man-in-the-Middle (MitM) suplanten servidores y obtengan información sensible mediante un certificado manipulado. • https://jvn.jp/en/jp/JVN75453852/index.html https://linecorp.com/en/security/article/136 • CWE-295: Improper Certificate Validation •