Total
7 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12717 | 4 Alberta, Gov, Health and 1 more | 4 Abtracetogether, Protego Safe, Covidsafe and 1 more | 2024-02-04 | 3.3 LOW | 6.5 MEDIUM |
| The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected. | |||||
| CVE-2020-12860 | 1 Health | 1 Covidsafe | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| COVIDSafe through v1.0.17 allows a remote attacker to access phone name and model information because a BLE device can have four roles and COVIDSafe uses all of them. This allows for re-identification of a device, and potentially identification of the owner's name. | |||||
| CVE-2020-12856 | 3 Alberta, Health, Tracetogether | 3 Abtracetogether, Covidsafe, Tracetogether | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used. | |||||
| CVE-2020-12858 | 1 Health | 1 Covidsafe | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Non-reinitialisation of random data in the advertising payload in COVIDSafe v1.0.15 and v1.0.16 allows a remote attacker to re-identify Android devices running COVIDSafe by scanning for their advertising beacons. | |||||
| CVE-2020-12859 | 1 Health | 1 Covidsafe | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| Unnecessary fields in the OpenTrace/BlueTrace protocol in COVIDSafe through v1.0.17 allow a remote attacker to identify a device model by observing cleartext payload data. This allows re-identification of devices, especially less common phone models or those in low-density situations. | |||||
| CVE-2020-14292 | 1 Health | 1 Covidsafe | 2024-02-04 | 2.9 LOW | 5.7 MEDIUM |
| In the COVIDSafe application through 1.0.21 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows attackers to trick the application into establishing a connection over Bluetooth BR/EDR transport, which reveals the public Bluetooth address of the victim's phone without authorisation, bypassing the Bluetooth address randomisation protection in the user's phone. | |||||
| CVE-2020-12857 | 1 Health | 1 Covidsafe | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Caching of GATT characteristic values (TempID) in COVIDSafe v1.0.15 and v1.0.16 allows a remote attacker to long-term re-identify an Android device running COVIDSafe. | |||||