Published:2020/12/07  Last Updated:2020/12/07

Apache Cordova Plugin camera vulnerable to information exposure


Apache Cordova Plugin camera is vulnerable to information exposure.

Products Affected

  • Apache Cordova Plugin camera versions prior to 5.0.0


Apache Cordova Plugin camera is a plugin for Apache Cordova applications, which provides an API for taking pictures and for choosing images from the system image library.
Vulnerable versions of Apache Cordova Plugin camera, when used in Android applications, use the external storage on the device when available, as an image file cache. Any applications with permission READ_EXTERNAL_STORAGE (or WRITE_EXTERNAL_STORAGE also) can access these cache files(CWE-200).

On the source code repository, the commit to fix the vulnerability is done for version 4.2.0, but version 4.2.0 is not officially released. Hence the fixed version is 5.0.0.


When a user is tricked into installing some malicious application to the Android device which has an external storage, and the user take a photo with the vulnerable application, then the image (photo) file is cached on the external storage. The malicious application may retrieve the file contents from the external storage.


Update the Software
Android cordova application with Cordova Plugin camera should be updated with that plugin version 5.0.0 or higher.


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 3.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


The analysis assumes that the user is tricked into installing some malicious application on the device.
UI:R (User Interaction is Required) because the user should allow the application to access the external storage.


Akihiro Matsumura of Saison Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2020-11990
JVN iPedia JVNDB-2020-000081