CVE-2019-13098 - OpenCVE

The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Android
Tronlink	Wallet

Configuration 1 [-]

AND

cpe:2.3:a:tronlink:wallet:2.2.0:*:*:*:*:*:*:*

cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://pastebin.com/a5VhaxYn
https://pastebin.com/raw/rVGbwSw0

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-22T15:52:59

Updated: 2024-08-04T23:41:10.312Z

Reserved: 2019-06-30T00:00:00

Link: CVE-2019-13098

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-22T16:15:15.737

Modified: 2019-07-24T15:03:00.407

Link: CVE-2019-13098

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-22T15:52:59", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://pastebin.com/a5VhaxYn"}, {"tags": ["x_refsource_MISC"], "url": "https://pastebin.com/raw/rVGbwSw0"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13098", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://pastebin.com/a5VhaxYn", "refsource": "MISC", "url": "https://pastebin.com/a5VhaxYn"}, {"name": "https://pastebin.com/raw/rVGbwSw0", "refsource": "MISC", "url": "https://pastebin.com/raw/rVGbwSw0"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:41:10.312Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pastebin.com/a5VhaxYn"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pastebin.com/raw/rVGbwSw0"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13098", "datePublished": "2019-07-22T15:52:59", "dateReserved": "2019-06-30T00:00:00", "dateUpdated": "2024-08-04T23:41:10.312Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tronlink:wallet:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "F091AB37-D152-41C6-9588-C62217504E78", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B6AA817-58DB-4915-9F7F-94AA7181AE5A", "versionEndExcluding": "4.1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications."}, {"lang": "es", "value": "La contrase\u00f1a de usuario por medio del formulario de registro de TronLink Wallet versi\u00f3n 2.2.0 es almacenada en el registro cuando se llama a la clase CreateWalletTwoActivity. Otros usuarios autenticados pueden leerlo en el registro m\u00e1s adelante. Los datos registrados pueden ser le\u00eddos utilizando Logcat en el dispositivo. Cuando se usan plataformas anteriores a Android versi\u00f3n 4.1 (Jelly Bean), los datos de registro no se encuentran en un sandbox por aplicaci\u00f3n; Cualquier aplicaci\u00f3n instalada en el dispositivo tiene la capacidad de leer datos registrados por otras aplicaciones."}], "id": "CVE-2019-13098", "lastModified": "2019-07-24T15:03:00.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-22T16:15:15.737", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://pastebin.com/a5VhaxYn"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://pastebin.com/raw/rVGbwSw0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}