Security Bulletin: Open Source Apache Cordova Android Vulnerabilities affect IBM Worklight and IBM MobileFirst Platform Foundation

2018-06-1722:33:35

www.ibm.com

EPSS

0.001

Percentile

38.6%

JSON

Summary

Apache Cordova is an open source framework for mobile development.
The Cordova framework is used in all Mobile environments in IBM Workligh and IBM MobileFirst Platform Foundation but this particluar Open Source Apache Cordova vulnerability is affected only for Android platform.

Affected Products and Versions

CVEID: CVE-2017-3160
DESCRIPTION: Apache Cordova Android could allow a remote attacker to conduct man-in-the-middle techniques, caused by the failure to use https by default by the Gradle Distribution URL. An attacker could exploit this vulnerability to conduct man-in-the-middle attacks and make the Gradle URL unsafe.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121354> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-6799
DESCRIPTION: Apache Cordova Android could allow local attacker to obtain sensitive information, caused by a flaw in the Log class. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125857> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)