CVE-2014-1423 - OpenCVE

signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Signond Project	Signond
Ubports	Ubuntu Touch

Configuration 1 [-]

cpe:2.3:a:signond_project:signond:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:ubports:ubuntu_touch:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644
http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645
https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380

History

No history.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2020-05-07T22:25:16.912816Z

Updated: 2024-09-16T23:55:55.461Z

Reserved: 2014-01-13T00:00:00

Link: CVE-2014-1423

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-05-07T23:15:11.310

Modified: 2020-05-12T20:15:08.583

Link: CVE-2014-1423

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "signon", "vendor": "Ubuntu", "versions": [{"lessThan": "8.57+15.04.20141127.1-0ubuntu1", "status": "affected", "version": "Ubuntu 15.04 signon", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Michael Zanetti"}], "datePublic": "2014-11-14T00:00:00", "descriptions": [{"lang": "en", "value": "signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-05-07T22:25:16", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644"}, {"tags": ["x_refsource_MISC"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"}], "source": {"defect": ["https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"], "discovery": "INTERNAL"}, "title": "Online Accounts Signon daemon gives out all oauth tokens to any app", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2014-11-14T00:00:00.000Z", "ID": "CVE-2014-1423", "STATE": "PUBLIC", "TITLE": "Online Accounts Signon daemon gives out all oauth tokens to any app"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "signon", "version": {"version_data": [{"version_affected": "<", "version_name": "Ubuntu 15.04 signon", "version_value": "8.57+15.04.20141127.1-0ubuntu1"}]}}]}, "vendor_name": "Ubuntu"}]}}, "credit": [{"lang": "eng", "value": "Michael Zanetti"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522 Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644", "refsource": "MISC", "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644"}, {"name": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645", "refsource": "MISC", "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645"}, {"name": "https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380", "refsource": "MISC", "url": "https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"}]}, "source": {"defect": ["https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:42:35.442Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"}]}]}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2014-1423", "datePublished": "2020-05-07T22:25:16.912816Z", "dateReserved": "2014-01-13T00:00:00", "dateUpdated": "2024-09-16T23:55:55.461Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:signond_project:signond:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3F079AB-3D0F-4A6A-B2A8-A875199B78A9", "versionEndExcluding": "8.57\\+15.04.20141127.1-0ubuntu1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ubports:ubuntu_touch:-:*:*:*:*:*:*:*", "matchCriteriaId": "5443E410-5EFD-4C9D-84E7-1EBE11780B52", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information."}, {"lang": "es", "value": "signond versiones anteriores a 8.57+15.04.20141127.1-0ubuntu1, como es usado en Ubuntu Touch, no restringi\u00f3 apropiadamente las aplicaciones a partir de consultar los tokens oath debido a unas comprobaciones incorrectas y la falta de instalaci\u00f3n de la signon-apparmor-extension. Un atacante podr\u00eda usar esto para crear una aplicaci\u00f3n de clics maliciosos que recopile tokens oauth para otras aplicaciones, exponiendo informaci\u00f3n confidencial."}], "id": "CVE-2014-1423", "lastModified": "2020-05-12T20:15:08.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2020-05-07T23:15:11.310", "references": [{"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@ubuntu.com", "type": "Secondary"}]}