Lucene search

[email protected]CVE-2020-12624

HistoryMay 03, 2020 - 1:15 p.m.

CVE-2020-12624

2020-05-0313:15:11

CWE-459

[email protected]

web.nvd.nist.gov

cve-2020-12624

league app

android

bearer token

session hijacking

nvd

okhttp

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.0%

JSON

The League application before 2020-05-02 on Android sends a bearer token in an HTTP Authorization header to an arbitrary web site that hosts an external image because an OkHttp object is reused, which allows remote attackers to hijack sessions.

Affected configurations

NVD

Node

theleaguethe_leagueRange<2020-05-02android

CPENameOperatorVersion
theleague:the_leaguetheleague the leaguelt2020-05-02

CPE	Name	Operator	Version
theleague:the_league	theleague the league	lt	2020-05-02

References

push32.com/post/dating-app-fail/

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.0%

JSON

Related for CVE-2020-12624

nvd1 prion1 cvelist1