Login Sign Up

CVE-2023-39736

8.2 HIGH
Authentication Bypass

📋 TL;DR

CVE-2023-39736 is an information disclosure vulnerability in Fukunaga_memberscard Line 13.6.1 that leaks client secrets, allowing attackers to obtain channel access tokens and send unauthorized broadcast messages. This affects organizations using the vulnerable version of the Fukunaga_memberscard software for LINE integration.

💻 Affected Systems

Products:
  • Fukunaga_memberscard
Versions: 13.6.1
Operating Systems: Not OS-specific
Default Config Vulnerable: ⚠️ Yes
Notes: Affects LINE integration functionality specifically; requires LINE channel configuration to be vulnerable.

📦 What is this software?

Fukunaga Memberscard by Linecorp

View all CVEs affecting Fukunaga Memberscard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of LINE channel communications, sending malicious broadcast messages to all subscribers, potentially spreading malware, phishing links, or damaging brand reputation.

🟠

Likely Case

Attackers send unauthorized promotional or spam messages through the compromised LINE channel, disrupting legitimate communications and eroding user trust.

🟢

If Mitigated

With proper secret rotation and access controls, impact is limited to temporary disruption until credentials are revoked.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires obtaining leaked client secret through logs, misconfigurations, or other information disclosure vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.6.2 or later

Vendor Advisory: https://liff.line.me/1657606123-4Kp0xVrP

Restart Required: Yes

Instructions:

1. Upgrade Fukunaga_memberscard to version 13.6.2 or later. 2. Restart the application/service. 3. Rotate LINE channel access tokens and client secrets.

🔧 Temporary Workarounds

Rotate LINE Credentials

all

Immediately revoke and regenerate LINE channel access tokens and client secrets

Navigate to LINE Developers Console > Your Channel > Basic settings > Issue Channel access token > Revoke/Reissue

Restrict Log Access

linux

Ensure application logs containing sensitive information are properly secured and access-controlled

chmod 600 /path/to/application/logs/*
setfacl -m u:appuser:r /path/to/logs

🧯 If You Can't Patch

  • Immediately rotate all LINE channel access tokens and client secrets
  • Implement strict access controls on application logs and configuration files

🔍 How to Verify

Check if Vulnerable:

Check if Fukunaga_memberscard version is 13.6.1 and LINE integration is configured

Check Version:

Check application configuration or admin interface for version information

Verify Fix Applied:

Confirm version is 13.6.2 or later and new LINE credentials are in use

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access to client secret in logs
  • Unexpected LINE API token usage patterns

Network Indicators:

  • Unusual broadcast message traffic from LINE channel
  • API calls from unexpected IP addresses

SIEM Query:

source="fukunaga_logs" AND ("client_secret" OR "access_token") AND severity=HIGH

📊 Metadata

CVE ID: CVE-2023-39736
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-200
Published: October 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39736, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)