Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM4D3E5C6CF8A7B46361090DA01C6061AAF1FE7D680AE5A4206F96DE45C38DC238
HistoryJun 17, 2018 - 10:31 p.m.

Security Bulletin: IBM Worklight and IBM Mobile Foundation application authenticity bypass (CVE-2014-0888)

2018-06-1722:31:19
www.ibm.com
9

0.001 Low

EPSS

Percentile

33.0%

JSON

Summary

IBM Worklight and IBM Mobile Foundation application authenticity verification can be bypassed under certain conditions.

Vulnerability Details

CVEID:__CVE-2014-0888 __

**DESCRIPTION:**The application authenticity feature in IBM Worklight and IBM Mobile Foundation enables the Worklight server to validate that the Worklight client application has not been tampered with. Under certain conditions, a third party might be able to bypass the application authenticity validation and modify the client application.

CVSS Base Score: 3.5

CVSS Temporal Score: See**_<https://exchange.xforce.ibmcloud.com/vulnerabilities/91239&gt;_**** for the current score**

CVSS Environmental Score: Undefined*

CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

  • IBM Mobile Foundation and IBM Worklight Consumer Edition Versions 5.0.0.0, 5.0.0.1, 5.0.0.2, 5.0.0.3
  • IBM Mobile Foundation and IBM Worklight Enterprise Edition Versions 5.0.0.0, 5.0.0.1, 5.0.0.2, 5.0.0.3
  • IBM Mobile Foundation and IBM Worklight Consumer Edition Versions 5.0.5.0, 5.0.5.1
  • IBM Mobile Foundation and IBM Worklight Enterprise Edition Versions 5.0.5.0, 5.0.5.1
  • IBM Mobile Foundation and IBM Worklight Consumer Edition Versions 5.0.6.0, 5.0.6.1 and 5.0.6.2
  • IBM Mobile Foundation and IBM Worklight Enterprise Edition Versions 5.0.6.0, 5.0.6.1 and 5.0.6.2
  • IBM Mobile Foundation and IBM Worklight Consumer Edition Versions 6.0.0.0, 6.0.0.1 and 6.0.0.2
  • IBM Mobile Foundation and IBM Worklight Enterprise Edition Versions 6.0.0.0, 6.0.0.1 and 6.0.0.2
  • IBM Worklight Consumer Edition Versions 6.1.0.0 and 6.1.0.1
  • IBM Worklight Enterprise Edition Versions 6.1.0.0 and 6.1.0.1

Remediation/Fixes

The application authenticity validation feature has been strengthened in IBM Worklight Foundation Version 6.2.0.0. You can upgrade the Worklight server and Worklight client applications to version 6.2.0.0.

Workarounds and Mitigations

The application authenticity validation feature might be bypassed more easily if the Android versions of the Worklight client application are shipped with debug mode enabled. The debug mode is specified in the AndroidManifest.xml file with the android:debuggable attribute of the application element. Ensure that this attribute is not set to true.

Utilizing only official mobile application stores for application distribution and installation reduces the chances of client application tampering.

Related

nvd 1
prion 1
cve 1
cvelist 1
nvd
nvd
CVE-2014-0888
2014-08-29 09:55:07
prion
prion
Authentication flaw
2014-08-29 09:55:00
cve
cve
CVE-2014-0888
2014-08-29 10:00:00
cvelist
cvelist
CVE-2014-0888
2014-08-29 10:00:00

0.001 Low

EPSS

Percentile

33.0%

JSON
Related for 4D3E5C6CF8A7B46361090DA01C6061AAF1FE7D680AE5A4206F96DE45C38DC238
nvd1prion1cve1cvelist1