6.5

CVE-2020-12270

Exploit

EPSS 0.85%
Veröffentlicht 27.04.2020 04:15:10
Zuletzt bearbeitet 21.11.2024 04:59:24
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it was a false alert if contact-history comparison fails (i.e., an F0 is not actually part of the contact history obtained from the device of this recipient, or this recipient is not actually part of the contact history obtained from the device of an F0)

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Bluezone ≫ Bluezone Version1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.85%	0.741

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	3.3	6.5	2.9	AV:A/AC:L/Au:N/C:P/I:N/A:N

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

https://bluezone.ai/CVE

https://github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/CHANGELOG.md

Third Party Advisory

Release Notes

https://github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/package.json#L27

Third Party Advisory

https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/AndroidManifest.xml#L11-L12

Third Party Advisory

https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/BluezonerIdGenerator.java#L18-L28

Third Party Advisory

https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/TraceCovidModule.java#L98

Third Party Advisory

https://vnhacker.blogspot.com/2020/04/vietnams-contact-tracing-app_26.html

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2020-12270

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-12270

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-12270

EUVD