Insecure Randomness

Affecting cordova-android package, versions <3.7.1

Do your applications use this vulnerable package? Test your applications

Overview

cordova-android is an Android application library that allows for Cordova-based projects to be built for the Android Platform.

Affected versions of the package are vulnerable to Insecure Randomness. It improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value.

Remediation

Upgrade cordova-android to version 3.7.1 or higher.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Credit
David Kaplan, Roee Hay
CVE
CVE-2015-8320
CWE
CWE-330
Snyk ID
npm:cordova-android:20151120
Disclosed
19 Nov, 2015
Published
21 Jun, 2017