Insecure Defaults
Affecting cordova-plugin-file-transfer package, versions <0.4.2
Report new vulnerabilitiesOverview
cordova-plugin-file-transfer
is a cordova File Transfer Plugin.
Affected version of this package are vulnerable to Insecure Defaults. ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option.
Details
When deciding on the default configuration, the package owner must take into consideration both usability and security, based on reasonable assumptions to how their package will be used. But more often then not, package consumers do not abide by said assumptions and this may open their hosting server to attacks by malicious users.
You can read more about Insecure Defaults
on our blog.
Remediation
Upgrade cordova-plugin-file-transfer
to version 0.4.2 or higher.
References
CVSS Score
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Neil Bergman
- CVE
- CVE-2014-0072
- CWE
- CWE-297
- Snyk ID
- npm:cordova-plugin-file-transfer:20140219
- Disclosed
- 18 Feb, 2014
- Published
- 09 Nov, 2017