CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
12.6%
Sending a specially crafted intent with an invalid/empty extras de.niklasmerz.cordova.biometric.BiometricActivity
can cause the app to crash. sending the intent repeatedly can prevent the app using this plugin from working, resulting in a denial of service (DoS) condition.
A 3rd party app/remote attacker can exploit this vulnerability by sending a malicious intent to the target device, causing the app using this plugin from working to crash or become unresponsive, resulting in a denial of service (DoS) condition.
Version 5.0.1 of the cordova-plugin-fingerprint-aio doesn’t export the activity anymore and is no longer vulnerable.
If you want to fix older versions change the attribute android:exported
of this code snippet in plugin.xml to false
:
<config-file target="AndroidManifest.xml" parent="application">
<activity android:name="de.niklasmerz.cordova.biometric.BiometricActivity" android:theme="@style/TransparentTheme" android:exported="false"/>
</config-file>
Please upgrade to version 5.0.1 as soon as possible.
Please check out the release on GitHub.
If you have any questions or comments about this advisory please go to the discussion on GitHub.
Vendor | Product | Version | CPE |
---|---|---|---|
cordova_plugin_fingerprint_all-in-one_project | cordova_plugin_fingerprint_all-in-one | * | cpe:2.3:a:cordova_plugin_fingerprint_all-in-one_project:cordova_plugin_fingerprint_all-in-one:*:*:*:*:node.js:*:*:* |
github.com/advisories/GHSA-7vfx-hfvm-rhr8
github.com/NiklasMerz/cordova-plugin-fingerprint-aio/commit/27434a240f97f69fd930088654590c8ba43569df
github.com/NiklasMerz/cordova-plugin-fingerprint-aio/discussions/394
github.com/NiklasMerz/cordova-plugin-fingerprint-aio/releases/tag/v5.0.1
github.com/NiklasMerz/cordova-plugin-fingerprint-aio/security/advisories/GHSA-7vfx-hfvm-rhr8
nvd.nist.gov/vuln/detail/CVE-2021-43849
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
12.6%