CVE-2020-12860

Published: May 18, 2020Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

COVIDSafe through v1.0.17 allows a remote attacker to access phone name and model information because a BLE device can have four roles and COVIDSafe uses all of them. This allows for re-identification of a device, and potentially identification of the owner's name.

Affected (2)

Products: Health: Covidsafe

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Health Covidsafe	Up to 1.0.17
Health Covidsafe	All versions

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing

Source: cve@mitre.org

Third Party Advisory

https://www.health.gov.au/resources/apps-and-tools/covidsafe-app

Source: cve@mitre.org

ProductVendor Advisory

https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.health.gov.au/resources/apps-and-tools/covidsafe-app

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.