CVE-2014-6881

Published Oct 2, 2014

Last updated 10 years ago

Overview

Description: The PNC Virtual Wallet (aka com.pnc.ecommerce.mobile.vw.android) application before 2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Source: cret@cert.org
NVD status: Modified

Risk scores

CVSS 2.0

Type: Primary
Base score: 5.4
Impact score: 6.4
Exploitability score: 5.5
Vector string: AV:A/AC:M/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-310

Hype score: Not currently trending

Vendor comments

PNCThe PNC Virtual Wallet (aka com.pnc.ecommerce.mobile.vw.android application 2.1.1 for Android has been replaced by PNC Virtual Wallet 2.2. Version 2.1.1 is no longer available for use."

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:pnc:virtual_wallet_by_pnc:*:*:*:*:*:android:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6A1F050E-F323-4890-BBA9-CBE0F0007E2C",
            "versionEndIncluding": "2.1.1"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 2.0

Weaknesses

Social media

Vendor comments

Configurations

References