Information Exposure
Affecting cordova-plugin-ios-keychain package, ALL versions
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
cordova-plugin-ios-keychain is an Apache Cordova (PhoneGap) plugin.
Affected versions of this package are vulnerable to Information Exposure Through Log Files in CDVKeychain.m
. It can result in login, password and other sensitive data leakage. This attack appear to be exploitable via Attacker must have access to victim's iOS logs.
Remediation
There is a fix for cordova-plugin-ios-keychain
, pushed into the master branch but not yet published.
References
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionRequired
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityNone
-
AvailabilityNone
- Credit
- Unknown
- CVE
- CVE-2018-1000123
- CWE
- CWE-200
- Snyk ID
- npm:cordova-plugin-ios-keychain:20180306
- Disclosed
- 06 Mar, 2018
- Published
- 21 Mar, 2018