lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 20 Nov 2015 11:47:09 -0800
From: Shazron <shazron@...che.org>
To: bugtraq@...urityfocus.com
Subject: Fwd: CVE-2015-5256: Apache Cordova vulnerable to improper application
 of whitelist restrictions

---------- Forwarded message ----------
From: Joe Bowser <bowserj@...il.com>
Date: Fri, Nov 20, 2015 at 11:39 AM
Subject: CVE-2015-5256: Apache Cordova vulnerable to improper
application of whitelist restrictions
To: vuls@...ert.or.jp, "security@...che.org" <security@...che.org>,
dev <dev@...dova.apache.org>, "private@...dova.apache.org"
<private@...dova.apache.org>, bugtraq@...urityfocus.com,
oss-security@...ts.openwall.com


======================================================================
CVE-2015-5256: Apache Cordova vulnerable to improper application of
whitelist restrictions

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android 3.7.2 and earlier

Description:
Android applications created using Apache Cordova that use a remote server
contain a vulnerability where whitelist restrictions are not properly
applied.
Improperly crafted URIs could be used to circumvent the whitelist, allowing
for the execution of non-whitelisted Javascript.

Upgrade path:
Developers who are concerned about this should rebuild their applications
with Cordova Android 4.1.1 or later and use the new whitelist.  Developers
using remote content roots should also use SSL, as well as Content Security
Policy to further mitigate this issue.

Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ