{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-13916", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2025-03-04T13:18:35.318Z", "datePublished": "2025-05-30T15:16:03.066Z", "dateUpdated": "2025-06-10T09:15:08.586Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "com.pri.applock", "vendor": "Kruger&Matz", "versions": [{"status": "affected", "version": "13"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Szymon Chadam"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An&nbsp;application \"com.pri.applock\", which is pre-loaded on&nbsp;Kruger&amp;Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.<br>Exposed \u201dcom.android.providers.settings.fingerprint.PriFpShareProvider\u201c content provider's public method <i>query()</i> allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.<br><br>Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. <br>Application update was released in April 2025."}], "value": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.android.providers.settings.fingerprint.PriFpShareProvider\u201c content provider's public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.\n\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \nApplication update was released in April 2025."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-06-10T09:15:08.586Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915"}], "source": {"discovery": "EXTERNAL"}, "title": "Exposure of Applications' Encryption PINs in Kruger&Matz AppLock", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-30T15:46:06.274077Z", "id": "CVE-2024-13916", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T15:46:37.820Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-13916", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-30T15:46:06.274077Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T15:46:10.922Z"}}], "cna": {"title": "Exposure of Applications' Encryption PINs in Kruger&Matz AppLock", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Szymon Chadam"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Kruger&Matz", "product": "com.pri.applock", "versions": [{"status": "affected", "version": "13"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.android.providers.settings.fingerprint.PriFpShareProvider\u201c content provider's public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.\n\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \nApplication update was released in April 2025.", "supportingMedia": [{"type": "text/html", "value": "An&nbsp;application \"com.pri.applock\", which is pre-loaded on&nbsp;Kruger&amp;Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.<br>Exposed \u201dcom.android.providers.settings.fingerprint.PriFpShareProvider\u201c content provider's public method <i>query()</i> allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.<br><br>Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. <br>Application update was released in April 2025.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-06-10T09:15:08.586Z"}}}, "cveMetadata": {"cveId": "CVE-2024-13916", "state": "PUBLISHED", "dateUpdated": "2025-06-10T09:15:08.586Z", "dateReserved": "2025-03-04T13:18:35.318Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2025-05-30T15:16:03.066Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.android.providers.settings.fingerprint.PriFpShareProvider\u201c content provider's public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.\n\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \nApplication update was released in April 2025."}, {"lang": "es", "value": "La aplicaci\u00f3n \"com.pri.applock\", preinstalada en los smartphones Kruger&amp;Matz, permite cifrar cualquier aplicaci\u00f3n mediante el c\u00f3digo PIN proporcionado por el usuario o datos biom\u00e9tricos. El m\u00e9todo p\u00fablico \"query()\" del proveedor de contenido \"com.android.providers.settings.fingerprint.PriFpShareProvider\", expuesto, permite que cualquier otra aplicaci\u00f3n maliciosa, sin permisos del sistema Android, extraiga el c\u00f3digo PIN. El proveedor no proporcion\u00f3 informaci\u00f3n sobre las versiones vulnerables. Solo la versi\u00f3n (nombre de la versi\u00f3n: 13, c\u00f3digo de la versi\u00f3n: 33) fue probada y se confirm\u00f3 que presenta esta vulnerabilidad."}], "id": "CVE-2024-13916", "lastModified": "2025-06-10T10:15:21.443", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2025-05-30T16:15:36.117", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "cvd@cert.pl", "type": "Secondary"}]}

{}