Local Information Disclosure in Envoy Passport for Android and iPhone
CVE-2018-17499

2.9LOW

Key Information:

Vendor: Envoy
Status: Envoy Passport For Iphone; Envoy Passport For Android
Vendor: CVE Published:; 21 March 2019

What is CVE-2018-17499?

The Envoy Passport for both Android and iPhone is vulnerable due to improper handling of sensitive data, specifically the storage of unencrypted information in log files. This flaw allows a local attacker to access sensitive data including two API keys, a token, and other private information, potentially leading to further exploits or unauthorized access.

Affected Version(s)

Envoy Passport for Android 2.4.0

Envoy Passport for iPhone 2.2.5

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/149659

vdb-entryx_refsource_XF

CVSS V3.1

Score:

2.9

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2019
Vulnerability Reserved
Sep 25, 2018

JSON