JVN#59779918
Apache Cordova Plugin camera vulnerable to information exposure
Overview
Apache Cordova Plugin camera is vulnerable to information exposure.
Products Affected
- Apache Cordova Plugin camera versions prior to 5.0.0
Description
Apache Cordova Plugin camera is a plugin for Apache Cordova applications, which provides an API for taking pictures and for choosing images from the system image library.
Vulnerable versions of Apache Cordova Plugin camera, when used in Android applications, use the external storage on the device when available, as an image file cache. Any applications with permission READ_EXTERNAL_STORAGE (or WRITE_EXTERNAL_STORAGE also) can access these cache files(CWE-200).
On the source code repository, the commit to fix the vulnerability is done for version 4.2.0, but version 4.2.0 is not officially released. Hence the fixed version is 5.0.0.
Impact
When a user is tricked into installing some malicious application to the Android device which has an external storage, and the user take a photo with the vulnerable application, then the image (photo) file is cached on the external storage. The malicious application may retrieve the file contents from the external storage.
Solution
Update the Software
Android cordova application with Cordova Plugin camera should be updated with that plugin version 5.0.0 or higher.
Vendor Status
| Vendor | Link |
| Apache Cordova Project | Security Advisory CVE-2020-11990 |
| (github) Cache images in device storage, devices have enough space now. |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
The analysis assumes that the user is tricked into installing some malicious application on the device.
UI:R (User Interaction is Required) because the user should allow the application to access the external storage.
Credit
Akihiro Matsumura of Saison Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-11990 |
| JVN iPedia |
JVNDB-2020-000081 |