CVE-2017-3182
low-risk
Published 2018-07-24
On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack. ThreatMetrix is a security library for mobile applications, which aims to provide fraud prevention and device identity capabilities. The ThreatMetrix SDK versions prior to 3.2 do not validate SSL certificates on the iOS platform. An affected application will communicate with https://h-sdk.online-metrix.net, regardless of whether the connection is secure or not. An attacker on the same network as or upstream from the iOS device may be able to view or modify ThreatMetrix network traffic that should have been protected by HTTPS.
Do I need to act?
-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.8/10
Medium
ADJACENT_NETWORK
/ HIGH complexity
Affected Products (1)
Threatmetrix Sdk
Affected Vendors
References (4)
Third Party Advisory
https://www.kb.cert.org/vuls/id/767208
Third Party Advisory
https://www.securityfocus.com/bid/95360
Third Party Advisory
https://www.kb.cert.org/vuls/id/767208
Third Party Advisory
https://www.securityfocus.com/bid/95360
23
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal