CVE-2014-0647 - OpenCVE

The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Iphone Os
Starbucks	Starbucks

Configuration 1 [-]

AND

cpe:2.3:a:starbucks:starbucks:2.6.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2014/Jan/123
http://seclists.org/fulldisclosure/2014/Jan/64
http://www.osvdb.org/102514
http://www.securityfocus.com/archive/1/530756/100/0/threaded
http://www.securityfocus.com/bid/64942
http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/
http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/
https://exchange.xforce.ibmcloud.com/vulnerabilities/90412
https://itunes.apple.com/us/app/starbucks/id331177714?mt=8

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-01-28T00:00:00

Updated: 2024-08-06T09:20:19.937Z

Reserved: 2014-01-02T00:00:00

Link: CVE-2014-0647

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-01-28T00:55:03.957

Modified: 2018-10-09T19:42:04.093

Link: CVE-2014-0647

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-13T00:00:00", "descriptions": [{"lang": "en", "value": "The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/"}, {"name": "20140113 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Jan/64"}, {"tags": ["x_refsource_MISC"], "url": "https://itunes.apple.com/us/app/starbucks/id331177714?mt=8"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/"}, {"name": "20140114 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/530756/100/0/threaded"}, {"name": "20140117 Re: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Jan/123"}, {"name": "64942", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/64942"}, {"name": "102514", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/102514"}, {"name": "starbucks-cve20140647-info-disclosure(90412)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90412"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-0647", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/", "refsource": "MISC", "url": "http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/"}, {"name": "20140113 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Jan/64"}, {"name": "https://itunes.apple.com/us/app/starbucks/id331177714?mt=8", "refsource": "MISC", "url": "https://itunes.apple.com/us/app/starbucks/id331177714?mt=8"}, {"name": "http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/", "refsource": "MISC", "url": "http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/"}, {"name": "20140114 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/530756/100/0/threaded"}, {"name": "20140117 Re: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Jan/123"}, {"name": "64942", "refsource": "BID", "url": "http://www.securityfocus.com/bid/64942"}, {"name": "102514", "refsource": "OSVDB", "url": "http://www.osvdb.org/102514"}, {"name": "starbucks-cve20140647-info-disclosure(90412)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90412"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:20:19.937Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/"}, {"name": "20140113 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Jan/64"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://itunes.apple.com/us/app/starbucks/id331177714?mt=8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/"}, {"name": "20140114 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/530756/100/0/threaded"}, {"name": "20140117 Re: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Jan/123"}, {"name": "64942", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/64942"}, {"name": "102514", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/102514"}, {"name": "starbucks-cve20140647-info-disclosure(90412)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90412"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-0647", "datePublished": "2014-01-28T00:00:00", "dateReserved": "2014-01-02T00:00:00", "dateUpdated": "2024-08-06T09:20:19.937Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:starbucks:starbucks:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "1F970B50-FBA6-4885-9D5A-E8D78B16BFD2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "340C4071-1447-477F-942A-8E09EA29F917", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog."}, {"lang": "es", "value": "La aplicaci\u00f3n Starbucks 2.6.1 para iOS almacena informaci\u00f3n sensible en texto plano en el archivo log de Crashlyrics (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), lo que permite a atacantes descubrir nombres de usuario, contrase\u00f1as, y direcciones de e-mail a trav\u00e9s de una aplicaci\u00f3n que lea session.clslog."}], "id": "CVE-2014-0647", "lastModified": "2018-10-09T19:42:04.093", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-28T00:55:03.957", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2014/Jan/123"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2014/Jan/64"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/102514"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/530756/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/64942"}, {"source": "cve@mitre.org", "url": "http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/"}, {"source": "cve@mitre.org", "url": "http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90412"}, {"source": "cve@mitre.org", "url": "https://itunes.apple.com/us/app/starbucks/id331177714?mt=8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}