JVN#55045256
Multiple vulnerabilities in "FreeFrom - the nostr client" App

Overview

"FreeFrom - the nostr client" App provided by FreeFrom K.K. contains multiple vulnerabilities.

Products Affected

• "FreeFrom - the nostr client" App for Android versions prior to 1.3.5
• "FreeFrom - the nostr client" App for iOS versions prior to 1.3.5

Description

"FreeFrom - the nostr client" App provided by FreeFrom K.K. contains multiple vulnerabilities listed below.

• Improper verification of cryptographic signature (CWE-347)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 5.3
  • CVE-2024-36277
• Reliance on obfuscation or encryption of security-relevant inputs without integrity checking (CWE-649)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 5.3
  • CVE-2024-36279
• Reusing a nonce, key pair in encryption (CWE-323)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
  • CVE-2024-36289

Impact

• The affected app cannot detect event data with invalid signatures (CVE-2024-36277)
• The content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack (CVE-2024-36279, CVE-2024-36289)

Solution

Update the application
Update the application to the latest version according to the information provided by the developer.