cnvd - cnvd-2017-06424

cnvd-2017-06424

Vulnerability from cnvd

Title: Apache Cordova Android信息泄露漏洞

Description:

Adobe PhoneGap是美国奥多比（Adobe）公司的一套开源的开发框架。Apache Cordova Android是美国阿帕奇（Apache）软件基金会的一套可使用HTML、CSS和JavaScript开发基于Android的移动应用程序的平台，也是驱动PhoneGap的核心引擎。

Apache Cordova Android 5.2.2及之前的版本中存在安全漏洞。攻击者可利用漏洞读取其他应用程序记录的数据信息。

Severity: 中

Patch Name: Apache Cordova Android信息泄露漏洞的补丁

Patch Description:

Apache Cordova Android 5.2.2及之前的版本中存在安全漏洞。攻击者可利用漏洞读取其他应用程序记录的数据信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接：https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69@%3Cdev.cordova.apache.org%3E

Reference: https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69@%3Cdev.cordova.apache.org%3E

Impacted products

Name
Apache Software Foundation Cordova <=5.2.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-6799",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6799"
    }
  },
  "description": "Adobe PhoneGap\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5f00\u53d1\u6846\u67b6\u3002Apache Cordova Android\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u53ef\u4f7f\u7528HTML\u3001CSS\u548cJavaScript\u5f00\u53d1\u57fa\u4e8eAndroid\u7684\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u7684\u5e73\u53f0\uff0c\u4e5f\u662f\u9a71\u52a8PhoneGap\u7684\u6838\u5fc3\u5f15\u64ce\u3002\r\n\r\nApache Cordova Android 5.2.2\u53ca\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u8bfb\u53d6\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u8bb0\u5f55\u7684\u6570\u636e\u4fe1\u606f\u3002",
  "discovererName": "unknown",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1ahttps://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69@%3Cdev.cordova.apache.org%3E",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-06424",
  "openTime": "2017-05-11",
  "patchDescription": "Adobe PhoneGap\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5f00\u53d1\u6846\u67b6\u3002Apache Cordova Android\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u53ef\u4f7f\u7528HTML\u3001CSS\u548cJavaScript\u5f00\u53d1\u57fa\u4e8eAndroid\u7684\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u7684\u5e73\u53f0\uff0c\u4e5f\u662f\u9a71\u52a8PhoneGap\u7684\u6838\u5fc3\u5f15\u64ce\u3002\r\n\r\nApache Cordova Android 5.2.2\u53ca\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u8bfb\u53d6\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u8bb0\u5f55\u7684\u6570\u636e\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Cordova Android\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Software Foundation Cordova \u003c=5.2.2"
  },
  "referenceLink": "https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69@%3Cdev.cordova.apache.org%3E",
  "serverity": "\u4e2d",
  "submitTime": "2017-05-11",
  "title": "Apache Cordova Android\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2016-6799 (GCVE-0-2016-6799)

Vulnerability from cvelistv5

Published

2017-05-09 15:00

Modified

2024-08-06 01:43

Severity ?

CWE

Information Disclosure

Summary

Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/98365	vdb-entry, x_refsource_BID
	https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69%40%3Cdev.cordova.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Cordova Android	Version: 5.2.2 and earlier

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:43:37.895Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "98365",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/98365"
          },
          {
            "name": "[dev] 20170509 CVE-2016-6799: Internal system information leak",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69%40%3Cdev.cordova.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Cordova Android",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "5.2.2 and earlier"
            }
          ]
        }
      ],
      "datePublic": "2017-05-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-05-11T09:57:01",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "98365",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/98365"
        },
        {
          "name": "[dev] 20170509 CVE-2016-6799: Internal system information leak",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69%40%3Cdev.cordova.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2016-6799",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Cordova Android",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.2.2 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "98365",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/98365"
            },
            {
              "name": "[dev] 20170509 CVE-2016-6799: Internal system information leak",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69@%3Cdev.cordova.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2016-6799",
    "datePublished": "2017-05-09T15:00:00",
    "dateReserved": "2016-08-12T00:00:00",
    "dateUpdated": "2024-08-06T01:43:37.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted