Online Accounts Signon daemon gives out all oauth tokens to any app
CVE-2014-1423

5.9MEDIUM

Key Information:

Vendor: Ubuntu
Status: Signon
Vendor: CVE Published:; 7 May 2020

🔔 Create Ubuntu Vulnerability Alert

What is CVE-2014-1423?

signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information.

Affected Version(s)

signon Ubuntu 15.04 signon < 8.57+15.04.20141127.1-0ubuntu1

References

http://bazaar.launchpad.net/~online-accounts/signon/upstr...

x_refsource_MISC

http://bazaar.launchpad.net/~online-accounts/signon/upstr...

x_refsource_MISC

https://bugs.launchpad.net/ubuntu/+source/signon/+bug/139...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2020
Vulnerability Reserved
Jan 13, 2014

Credit

Michael Zanetti

.