JVN#08994136
Bump for Android vulnerable in handling of implicit intents
Overview
Bump for Android contains a vulnerability in the handling of implicit intents.
Products Affected
- Bump for Android
Description
Bump for Android is an application that allows users to share information and files. Bump for Android contains a vulnerability in the handling of implicit intents.
Impact
Information such as the owner's name that was obtained from another device may be disclosed.
Solution
Do not use Bump for Android
According to the developer, Bump is no longer being developed or maintained, thus it is recommended to stop using the product.
Vendor Status
| Vendor | Link |
| Bump Technologies, Inc. | Bump Blog - All Good Things... |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.09.19 (CVSS Base Metrics)
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | Specialized access conditions exist. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | Authentication is not required to exploit the vulnerability. |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is considerable informational disclosure. Access to some system files is possible, but the attacker does not have control over what is obtained, or the scope of the loss is constrained. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | There is no impact to the integrity of the system. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is no impact to the availability of the system. |
Base Score:2.6
Credit
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-5320 |
| JVN iPedia |
JVNDB-2014-000109 |