CVE-2020-12717

The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected.

CVSS v3 6.5 MEDIUM
CVSS v2.0 3.3 LOW

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

3.3^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 6.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708
https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:alberta:abtracetogether:-:::::iphone_os::
	cpe:2.3:a:gov:protego_safe:-:::::iphone_os::
	cpe:2.3:a:health:covidsafe:1.0:::::iphone_os::
	cpe:2.3:a:health:covidsafe:1.1:::::iphone_os::
	cpe:2.3:a:tracetogether:tracetogether:-:::::iphone_os::

History

21 Nov 2024, 05:00

Type	Values Removed	Values Added
References	~~() https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708 -~~	() https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708 -

Information

Published : 2020-05-14 05:15

Updated : 2024-11-21 05:00

NVD link : CVE-2020-12717

Mitre link : CVE-2020-12717

CVE.ORG link : CVE-2020-12717

JSON object : View

Products Affected

health

covidsafe

gov

protego_safe

alberta

abtracetogether

tracetogether

tracetogether

CWE

NVD-CWE-noinfo

{"id": "CVE-2020-12717", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-05-14T05:15:10.987", "references": [{"url": "https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708", "source": "cve@mitre.org"}, {"url": "https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected."}, {"lang": "es", "value": "La aplicaci\u00f3n COVIDSafe (Australia) versiones 1.0 y 1.1 para iOS, permite a un atacante remoto bloquear la aplicaci\u00f3n, y en consecuencia interferir con el rastreo de contactos de COVID-19, por medio de un anuncio de Bluetooth que contiene datos del fabricante que son muy cortos. Esto se presenta debido a una llamada err\u00f3nea de OpenTrace manuData.subdata. Las aplicaciones ABTraceTogether (Alberta), ProteGO (Polonia), y TraceTogether (Singapur) tambi\u00e9n estaban afectadas."}], "lastModified": "2024-11-21T05:00:08.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:alberta:abtracetogether:-:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "35FD1BAA-06DA-4048-9175-7B6305FA90F2"}, {"criteria": "cpe:2.3:a:gov:protego_safe:-:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "3670D0D0-0043-4575-887B-CD75EA4BEB26"}, {"criteria": "cpe:2.3:a:health:covidsafe:1.0:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "39EB4CCA-71AA-4DE7-A3FE-5A535E9C34B9"}, {"criteria": "cpe:2.3:a:health:covidsafe:1.1:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "94AB46DD-B889-4072-B63F-561E663C5FBD"}, {"criteria": "cpe:2.3:a:tracetogether:tracetogether:-:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "39F397CD-004A-46A4-8EC1-33D26F2E3DD2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}