Online Accounts Signon daemon gives out all oauth tokens to any app
CVE-2014-1423

5.9MEDIUM

Key Information:

Vendor

Ubuntu

Status
Signon
Vendor
CVE Published:
7 May 2020

What is CVE-2014-1423?

signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

signon Ubuntu 15.04 signon < 8.57+15.04.20141127.1-0ubuntu1

References

http://bazaar.launchpad.net/~online-accounts/signon/upstr...
x_refsource_MISC
http://bazaar.launchpad.net/~online-accounts/signon/upstr...
x_refsource_MISC
https://bugs.launchpad.net/ubuntu/+source/signon/+bug/139...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Zanetti
JSON
.