Lucene search

K
cve[email protected]CVE-2021-25266
HistoryApr 27, 2022 - 5:15 p.m.

CVE-2021-25266

2022-04-2717:15:07
CWE-922
web.nvd.nist.gov
50
2
cve-2021-25266
insecure data storage
physical attacker
root privileges
totp secret keys
sophos authenticator
intercept x for mobile
android
nvd

3.9 Low

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

4.2 Medium

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

12.5%

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.

Affected configurations

NVD
Node
sophosauthenticatorRange3.4android
OR
sophosintercept_xRange<9.7.3495android

CNA Affected

[
  {
    "product": "Intercept X for Mobile (Android)",
    "vendor": "Sophos",
    "versions": [
      {
        "lessThan": "9.7.3495",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Sophos Authenticator (Android)",
    "vendor": "Sophos",
    "versions": [
      {
        "lessThanOrEqual": "3.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

Social References

More

3.9 Low

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

4.2 Medium

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

12.5%

Related for CVE-2021-25266