[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache Cordova Android
---------- Forwarded message ----------
From: Joe Bowser <bowserj@xxxxxxxxx>
Date: Fri, Nov 20, 2015 at 11:39 AM
Subject: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache
To: DAVIDKA@xxxxxxxxxx, Roee Hay <ROEEH@xxxxxxxxxx>,
"private@xxxxxxxxxxxxxxxxxx" <private@xxxxxxxxxxxxxxxxxx>, dev
<dev@xxxxxxxxxxxxxxxxxx>, "security@xxxxxxxxxx" <security@xxxxxxxxxx>,
CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android
The Apache Software Foundation
Cordova Android versions up to and including 3.6.4
Cordova uses a bridge that allows the Native Application to communicate
this bridge on Android, the
framework uses a BridgeSecret to protect it from third-party hijacking.
However, the BridgeSecret is not sufficiently random and can be determined
in certain scenarios.
Developers who are concerned about this issue should rebuild their
applications with Cordova Android 4.1.1 or later. Version 3.7.1 and later
do not contain this vulnerability.
Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research