CVE-2021-22538

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server versions prior to 0.23.1, allows an attacker who 1 has UserWrite permissions and 2 is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their...

EUVD-2020-5923

Malware in sbrugna...

EUVD-2020-18842

Malware in sbrugna...

EUVD-2021-0963

Malware in sbrugna...

Design/Logic Flaw

An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater...

PT-2021-15144 · Unknown · Exposure Notification Server

Name of the Vulnerable Software and Affected Versions: Exposure Notification server versions prior to V1.1.2 Description: An attacker could prematurely expire a verification code, making it unusable by the patient, and preventing the patient from uploading their TEKs to generate exposure...

CVE-2021-22538

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server versions prior to 0.23.1, allows an attacker who 1 has UserWrite permissions and 2 is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their...

CVE-2021-22538

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server versions prior to 0.23.1, allows an attacker who 1 has UserWrite permissions and 2 is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their...

Privilege escalation

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server versions prior to 0.23.1, allows an attacker who 1 has UserWrite permissions and 2 is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their...

CVE-2021-22538 Privilege escalation in RBAC system

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server versions prior to 0.23.1, allows an attacker who 1 has UserWrite permissions and 2 is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their...

CVE-2021-22538

CVE-2021-22538 is a privilege-escalation flaw in the Google Exposure Notification Verification Server (versions before 0.23.1). An attacker with UserWrite permissions and using a crafted request or malicious proxy can create a new user with higher privileges due to insufficient checks on the allo...

Seth Vargo Exposure Notification Verification Server 输入验证错误漏洞

Seth Vargo exposure-notifications-verification-server is an open source application by Seth Vargo. It is the reference implementation of the Exposure Notifications Verification Server, which is part of the broader Google Exposure Notifications system. A security vulnerability in Seth Vargo Exposu...

PT-2021-15131 · Google · Google Exposure Notification Verification Server

Name of the Vulnerable Software and Affected Versions: Google Exposure Notification Verification Server versions prior to 0.23.1 Description: A privilege escalation issue allows an attacker with UserWrite permissions, using a carefully crafted request or malicious proxy, to create another user wi...

CISOs Prep For COVID-19 Exposure Notification in the Workplace

With the potential of employees going back into the workplace on the horizon, chief information security officers CISOs are mulling applications that utilize exposure notifications in order to track COVID-19’s spread in the office. Steve Moore, chief security strategist with Exabeam, said he is...

German COVID-19 Contact-Tracing Vulnerability Allowed RCE

A security vulnerability in the infrastructure underlying Germany’s official COVID-19 contact-tracing app, called the Corona-Warn-App CWA, would have allowed pre-authenticated remote code execution RCE. Researcher Alvaro Muñoz wrote in a report this week that he and his team at GitHub Security La...

CVE-2020-26230

CVE-2020-26230 affects Radar COVID (Spain) where positives uploading TEKs to the backend can be identified/de-anonymized by an on-path observer. Root cause: backend communication is made only by COVID-19 positives, enabling traffic correlation across networks (MNOs/ISPs/VPNs or on-path attackers)...

PT-2020-15832 · Google · Gaen Protocol

Name of the Vulnerable Software and Affected Versions: GAEN protocol affected versions not specified Description: An issue was discovered in the GAEN protocol, as used in COVID-19 applications on Android and iOS. The encrypted metadata block with a TX value lacks a checksum, allowing bitflipping ...

CVE-2020-24721

An issue was discovered in the GAEN aka Google/Apple Exposure Notifications protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the...

Code injection

An issue was discovered in the GAEN aka Google/Apple Exposure Notifications protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the...

Govt.-Backed Contact-Tracing Apps Raise Privacy Hackles

The Electronic Frontier Foundation is echoing lawmaker concerns that California is not taking privacy seriously enough, as state legislators mull launching a COVID-19 exposure-notification app based on Apple and Google’s smartphone technology. The U.S. nonprofit, which is aimed at protecting...