Information Leak in Apache Cordova Android Versions
CVE-2016-6799

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Cordova Android
Vendor: CVE Published:; 9 May 2017

Summary

Apache Cordova Android versions prior to 5.2.2 contain a vulnerability that exposes sensitive information through log methods. The application utilizes Log class methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()), which store messages in circular buffers on the device. By default, the logs retain up to four 16 KB rotated buffers alongside the current log. On devices running Android versions prior to 4.1 (Jelly Bean), logged data lacks application isolation, permitting any installed application to access log information from others. This can lead to potential information leakage, where sensitive data logged by one application may be readable by another, posing a significant risk to user privacy and application security.

Affected Version(s)

Apache Cordova Android 5.2.2 and earlier

References

http://www.securityfocus.com/bid/98365

vdb-entryx_refsource_BID

https://lists.apache.org/thread.html/1f3e7b0319d64b455f73...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 9, 2017
Vulnerability Reserved
Aug 12, 2016