CVE-2020-24721 - OpenCVE

An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Exposure Notifications
Google	Exposure Notifications

Configuration 1 [-]

OR	cpe:2.3:a:apple:exposure_notifications::::::iphone_os::*
	cpe:2.3:a:google:exposure_notifications::::::android::*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html
https://blog.google/inside-google/company-announcements/update-exposure-notifications
https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt
https://seclists.org/fulldisclosure/2020/Sep/53

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-09-30T17:43:01

Updated: 2024-08-04T15:19:09.329Z

Reserved: 2020-08-27T00:00:00

Link: CVE-2020-24721

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-09-30T18:15:25.193

Modified: 2020-10-22T16:16:12.733

Link: CVE-2020-24721

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-07T14:21:42", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.google/inside-google/company-announcements/update-exposure-notifications"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt"}, {"name": "FULLDISC: 20200929 CVE-2020-24721: Corona Exposure Notifications API: risk of coercion/data leakage [vs]", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "https://seclists.org/fulldisclosure/2020/Sep/53"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24721", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.google/inside-google/company-announcements/update-exposure-notifications", "refsource": "MISC", "url": "https://blog.google/inside-google/company-announcements/update-exposure-notifications"}, {"name": "https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt", "refsource": "MISC", "url": "https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt"}, {"name": "FULLDISC: 20200929 CVE-2020-24721: Corona Exposure Notifications API: risk of coercion/data leakage [vs]", "refsource": "FULLDISC", "url": "https://seclists.org/fulldisclosure/2020/Sep/53"}, {"name": "http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:19:09.329Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.google/inside-google/company-announcements/update-exposure-notifications"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt"}, {"name": "FULLDISC: 20200929 CVE-2020-24721: Corona Exposure Notifications API: risk of coercion/data leakage [vs]", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "https://seclists.org/fulldisclosure/2020/Sep/53"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24721", "datePublished": "2020-09-30T17:43:01", "dateReserved": "2020-08-27T00:00:00", "dateUpdated": "2024-08-04T15:19:09.329Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:exposure_notifications:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "CA22CE37-087B-4D32-AC82-13B37111FEE6", "versionEndIncluding": "1.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:exposure_notifications:*:*:*:*:*:android:*:*", "matchCriteriaId": "A166EFE6-E9AC-43DA-8762-1E31654FD6DF", "versionEndIncluding": "1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en el protocolo GAEN (alias Google/Apple Exposure Notifications) hasta el 29 de septiembre de 2020, tal como se utiliza en las aplicaciones COVID-19 en Android e iOS. Permite poner a un usuario en una posici\u00f3n en la que puede ser coaccionado para probar o refutar una notificaci\u00f3n de exposici\u00f3n, debido al estado persistente de un marco privado"}], "id": "CVE-2020-24721", "lastModified": "2020-10-22T16:16:12.733", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-30T18:15:25.193", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://blog.google/inside-google/company-announcements/update-exposure-notifications"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2020/Sep/53"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}