Published:2016/05/11  Last Updated:2016/05/11

JVN#35341085
Apache Cordova fails to restrict access permissions

Overview

Apache Cordova contains a vulnerability where whitelist restrictions are not properly applied.

Products Affected

  • Cordova iOS versions 3.9.2 and earlier

Description

Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms.
iOS applications built using Apache Cordova contain a vulnerability where whitelist restrictions are not properly applied.

Impact

Accessing a specially crafted URL may result in transitioning to a URL that the whitelist should restrict.

Solution

Update Apache Cordova and re-build the iOS application
Developers of iOS applications should update Apache Cordova to version 4.0.0 or later and re-build the application.

Vendor Status

Vendor Status Last Update Vendor Notes
The Apache Software Foundation Vulnerable 2016/05/11 The Apache Software Foundation website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score: 4.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Muneaki Nishimura (nishimunea) of Recruit Technologies Co.,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2015-5207
JVN iPedia JVNDB-2016-000058

Update History

2016/05/11
Values for "Confidentiality Impact" and "Integrity Impact" were fixed for both CVSSv3 and CVSSv2