CVE-2024-12604 - Vulnerability Details - OpenCVE

Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Tapandsign	Tap\&sign

Configuration 1 [-]

cpe:2.3:a:tapandsign:tap\&sign:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://docs.tapandsign.com/tap-and-sign/tap-and-sign-v.1.025-surum-notlari
https://www.usom.gov.tr/bildirim/tr-25-0063

History

Wed, 19 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tapandsign Tapandsign tap\&sign
Weaknesses		CWE-312
CPEs		cpe:2.3:a:tapandsign:tap\&sign::::::::
Vendors & Products		Tapandsign Tapandsign tap\&sign

Mon, 10 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 10 Mar 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025.
Title		Improper Authentication in Tapandsign Technologies' Tap&Sign App
Weaknesses		CWE-526 CWE-640
References		https://docs.tapandsign.com/tap-and-sign/tap-and-sign-v.1.025-surum-notlari https://www.usom.gov.tr/bildirim/tr-25-0063
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published: 2025-03-10T14:28:12.230Z

Updated: 2025-03-10T16:06:16.108Z

Reserved: 2024-12-13T11:55:16.553Z

Link: CVE-2024-12604

Vulnrichment

Updated: 2025-03-10T16:06:10.787Z

NVD

Status : Analyzed

Published: 2025-03-10T15:15:36.947

Modified: 2025-03-19T14:55:40.523

Link: CVE-2024-12604

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-12604", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "state": "PUBLISHED", "assignerShortName": "TR-CERT", "dateReserved": "2024-12-13T11:55:16.553Z", "datePublished": "2025-03-10T14:28:12.230Z", "dateUpdated": "2025-03-10T16:06:16.108Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Tap&Sign App", "vendor": "Tapandsign Technologies", "versions": [{"lessThan": "V.1.025", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mucahit IC"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.<p>This issue affects Tap&Sign App: before V.1.025.</p>"}], "value": "Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025."}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "CAPEC-50 Password Recovery Exploitation"}]}, {"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-526", "description": "CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-640", "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2025-03-10T14:28:12.230Z"}, "references": [{"url": "https://docs.tapandsign.com/tap-and-sign/tap-and-sign-v.1.025-surum-notlari"}, {"url": "https://www.usom.gov.tr/bildirim/tr-25-0063"}], "source": {"advisory": "TR-25-0063", "defect": ["TR-25-0063"], "discovery": "UNKNOWN"}, "tags": ["exclusively-hosted-service"], "title": "Improper Authentication in Tapandsign Technologies' Tap&Sign App", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T16:06:00.844956Z", "id": "CVE-2024-12604", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T16:06:16.108Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12604", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-10T16:06:00.844956Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T16:06:10.787Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Improper Authentication in Tapandsign Technologies' Tap&Sign App", "source": {"defect": ["TR-25-0063"], "advisory": "TR-25-0063", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Mucahit IC"}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "CAPEC-50 Password Recovery Exploitation"}]}, {"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Tapandsign Technologies", "product": "Tap&Sign App", "versions": [{"status": "affected", "version": "0", "lessThan": "V.1.025", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.tapandsign.com/tap-and-sign/tap-and-sign-v.1.025-surum-notlari"}, {"url": "https://www.usom.gov.tr/bildirim/tr-25-0063"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025.", "supportingMedia": [{"type": "text/html", "value": "Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.<p>This issue affects Tap&Sign App: before V.1.025.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-526", "description": "CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-640", "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2025-03-10T14:28:12.230Z"}}}, "cveMetadata": {"cveId": "CVE-2024-12604", "state": "PUBLISHED", "dateUpdated": "2025-03-10T16:06:16.108Z", "dateReserved": "2024-12-13T11:55:16.553Z", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "datePublished": "2025-03-10T14:28:12.230Z", "assignerShortName": "TR-CERT"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tapandsign:tap\\&sign:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E38B9DF-2BC7-40C1-A07F-77CEE465DF41", "versionEndExcluding": "1.025", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "iletisim@usom.gov.tr", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025."}, {"lang": "es", "value": "Almacenamiento de texto plano de informaci\u00f3n confidencial en una variable de entorno, mecanismo de recuperaci\u00f3n de contrase\u00f1a d\u00e9bil para vulnerabilidad de contrase\u00f1a olvidada en Tapandsign Technologies Tap&Sign App permite la explotaci\u00f3n de la recuperaci\u00f3n de contrase\u00f1a y el uso indebido de la funcionalidad. Este problema afecta a la aplicaci\u00f3n Tap&Sign: antes de V.1.025."}], "id": "CVE-2024-12604", "lastModified": "2025-03-19T14:55:40.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "iletisim@usom.gov.tr", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-10T15:15:36.947", "references": [{"source": "iletisim@usom.gov.tr", "tags": ["Release Notes"], "url": "https://docs.tapandsign.com/tap-and-sign/tap-and-sign-v.1.025-surum-notlari"}, {"source": "iletisim@usom.gov.tr", "tags": ["Third Party Advisory"], "url": "https://www.usom.gov.tr/bildirim/tr-25-0063"}], "sourceIdentifier": "iletisim@usom.gov.tr", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-526"}, {"lang": "en", "value": "CWE-640"}], "source": "iletisim@usom.gov.tr", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-640"}], "source": "nvd@nist.gov", "type": "Primary"}]}