#VU106950 Use of a broken or risky cryptographic algorithm in Musicshelf - CVE-2024-2365

Cybersecurity Help s.r.o.

Published: 2025-04-03

Vulnerability identifier: #VU106950

Vulnerability risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-2365

CWE-ID: CWE-327

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Musicshelf
Mobile applications / Apps for mobile phones

Vendor: Kirill Makarov

Description

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to software uses a weak SHA-1 Message_Digest algorithm within the IsValidPin() function in io\fabric\sdk\android\services\network\PinningTrustManager.java. An attacker with physical access to the system can bypass SSL pinning protection and intercept traffic sent by the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Musicshelf: 1.0 - 1.1

External links
https://github.com/ctflearner/Android_Findings/blob/main/Musicshelf/Weak_Hashing_Algorithms.md

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Dell APEX Cloud Platform for Red Hat OpenShift update for third-party components

SUSE update for docker, docker-stable

Weak cryptographic algorithm in Musicshelf