cvelistv5 - cve-2020-11990

CVE-2020-11990 (GCVE-0-2020-11990)

Vulnerability from cvelistv5

Published

2020-12-01 16:46

Modified

2024-08-04 11:48

Severity ?

CWE

Exposure of Sensitive Information

Summary

We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally.

References

URL

Tags

	https://cordova.apache.org/news/2020/09/18/camera-plugin-release.html	x_refsource_MISC
	http://jvn.jp/en/jp/JVN59779918/index.html	third-party-advisory, x_refsource_JVN

Impacted products

	Vendor	Product	Version
	n/a	Apache Cordova ( cordova-plugin-camera )	Version: cordova-plugin-camera@4.1.0 and below

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:48:57.611Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cordova.apache.org/news/2020/09/18/camera-plugin-release.html"
          },
          {
            "name": "JVN#59779918",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "http://jvn.jp/en/jp/JVN59779918/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Cordova ( cordova-plugin-camera )",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "cordova-plugin-camera@4.1.0 and below"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Exposure of Sensitive Information",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-07T04:06:05.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cordova.apache.org/news/2020/09/18/camera-plugin-release.html"
        },
        {
          "name": "JVN#59779918",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "http://jvn.jp/en/jp/JVN59779918/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-11990",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Cordova ( cordova-plugin-camera )",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "cordova-plugin-camera@4.1.0 and below"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Exposure of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cordova.apache.org/news/2020/09/18/camera-plugin-release.html",
              "refsource": "MISC",
              "url": "https://cordova.apache.org/news/2020/09/18/camera-plugin-release.html"
            },
            {
              "name": "JVN#59779918",
              "refsource": "JVN",
              "url": "http://jvn.jp/en/jp/JVN59779918/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-11990",
    "datePublished": "2020-12-01T16:46:08.000Z",
    "dateReserved": "2020-04-21T00:00:00.000Z",
    "dateUpdated": "2024-08-04T11:48:57.611Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2020-11990

Vulnerability from jvndb

Published

2020-12-07 16:34

Modified

2020-12-07 16:34

Severity ?

3.3 (Low) - cvssV3_0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Summary

Apache Cordova Plugin camera vulnerable to information exposure

Details

Apache Cordova Plugin camera is a plugin for Apache Cordova applications, which provides an API for taking pictures and for choosing images from the system image library. Vulnerable versions of Apache Cordova Plugin camera, when used in Android applications, use the external storage on the device when available, as an image file cache. Any applications with permission READ_EXTERNAL_STORAGE (or WRITE_EXTERNAL_STORAGE also) can access these cache files(CWE-200). On the source code repository, the commit to fix the vulnerability is done for version 4.2.0, but version 4.2.0 is not officially released. Hence the fixed version is 5.0.0. Akihiro Matsumura of Saison Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN59779918
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11990
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-11990
	Information Exposure(CWE-200)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

Apache Software Foundation

Apache Cordova

Show details on JVN DB website