Local Information Disclosure in Envoy Passport for Android and iPhone
CVE-2018-17500

2.9LOW

Key Information:

Vendor: Envoy
Status: Envoy Passport For Iphone; Envoy Passport For Android
Vendor: CVE Published:; 21 March 2019

What is CVE-2018-17500?

The Envoy Passport applications for Android and iPhone contain a vulnerability that allows local attackers to access sensitive information due to hardcoded OAuth credentials stored in plaintext. This security flaw can be exploited by adversaries to retrieve confidential data, potentially leading to further breaches and unauthorized access to user accounts. Ensuring the proper management of sensitive information is critical to maintaining the security posture of these applications.

Affected Version(s)

Envoy Passport for Android 2.4.0

Envoy Passport for iPhone 2.2.5

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/149660

vdb-entryx_refsource_XF

CVSS V3.1

Score:

2.9

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2019
Vulnerability Reserved
Sep 25, 2018

JSON