---------- Forwarded message ----------
From: Joe Bowser <bowserj (at) gmail (dot) com [email concealed]>
Date: Fri, Nov 20, 2015 at 11:39 AM
Subject: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache
Cordova Android
To: DAVIDKA (at) il.ibm (dot) com [email concealed], Roee Hay <ROEEH (at) il.ibm (dot) com [email concealed]>,
"private (at) cordova.apache (dot) org [email concealed]" <private (at) cordova.apache (dot) org [email concealed]>, dev
<dev (at) cordova.apache (dot) org [email concealed]>, "security (at) apache (dot) org [email concealed]" <security (at) apache (dot) org [email concealed]>,
oss-security (at) lists.openwall (dot) com [email concealed], bugtraq (at) securityfocus (dot) com [email concealed]
===================================================================
CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Cordova Android versions up to and including 3.6.4
Description:
Cordova uses a bridge that allows the Native Application to communicate
with the HTML and Javascript that control the user interface. To protect
this bridge on Android, the
framework uses a BridgeSecret to protect it from third-party hijacking.
However, the BridgeSecret is not sufficiently random and can be determined
in certain scenarios.
Upgrade Path:
Developers who are concerned about this issue should rebuild their
applications with Cordova Android 4.1.1 or later. Version 3.7.1 and later
do not contain this vulnerability.
Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research
Team.
From: Joe Bowser <bowserj (at) gmail (dot) com [email concealed]>
Date: Fri, Nov 20, 2015 at 11:39 AM
Subject: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache
Cordova Android
To: DAVIDKA (at) il.ibm (dot) com [email concealed], Roee Hay <ROEEH (at) il.ibm (dot) com [email concealed]>,
"private (at) cordova.apache (dot) org [email concealed]" <private (at) cordova.apache (dot) org [email concealed]>, dev
<dev (at) cordova.apache (dot) org [email concealed]>, "security (at) apache (dot) org [email concealed]" <security (at) apache (dot) org [email concealed]>,
oss-security (at) lists.openwall (dot) com [email concealed], bugtraq (at) securityfocus (dot) com [email concealed]
===================================================================
CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Cordova Android versions up to and including 3.6.4
Description:
Cordova uses a bridge that allows the Native Application to communicate
with the HTML and Javascript that control the user interface. To protect
this bridge on Android, the
framework uses a BridgeSecret to protect it from third-party hijacking.
However, the BridgeSecret is not sufficiently random and can be determined
in certain scenarios.
Upgrade Path:
Developers who are concerned about this issue should rebuild their
applications with Cordova Android 4.1.1 or later. Version 3.7.1 and later
do not contain this vulnerability.
Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research
Team.
[ reply ]