oss-sec mailing list archives
CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache Cordova Android
From: Joe Bowser <bowserj () gmail com>
Date: Fri, 20 Nov 2015 11:39:56 -0800
=================================================================== CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android Severity: Low Vendor: The Apache Software Foundation Versions Affected: Cordova Android versions up to and including 3.6.4 Description: Cordova uses a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios. Upgrade Path: Developers who are concerned about this issue should rebuild their applications with Cordova Android 4.1.1 or later. Version 3.7.1 and later do not contain this vulnerability. Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team.
Current thread:
- CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache Cordova Android Joe Bowser (Nov 20)
- Re: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache Cordova Android Salvatore Bonaccorso (Nov 22)