logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-43849 cordova-plugin-fingerprint-aio

Package

Manager: npm
Name: cordova-plugin-fingerprint-aio
Vulnerable Version: >=0 <5.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00074 pctl0.22976

Details

cordova-plugin-fingerprint-aio DoS vulnerability ## Summary: Sending a specially crafted intent with an invalid/empty extras `de.niklasmerz.cordova.biometric.BiometricActivity` can cause the app to crash. sending the intent repeatedly can prevent the app using this plugin from working, resulting in a denial of service (DoS) condition. ## Impact A 3rd party app/remote attacker can exploit this vulnerability by sending a malicious intent to the target device, causing the app using this plugin from working to crash or become unresponsive, resulting in a denial of service (DoS) condition. ## Mitigation Version 5.0.1 of the cordova-plugin-fingerprint-aio doesn't export the activity anymore and is no longer vulnerable. If you want to fix older versions change the attribute `android:exported` of this code snippet in plugin.xml to `false`: ```xml <config-file target="AndroidManifest.xml" parent="application"> <activity android:name="de.niklasmerz.cordova.biometric.BiometricActivity" android:theme="@style/TransparentTheme" android:exported="false"/> </config-file> ``` ## Patches Please upgrade to version 5.0.1 as soon as possible. Please check out the release on [GitHub](https://github.com/NiklasMerz/cordova-plugin-fingerprint-aio/releases/tag/v5.0.1). ## For more information If you have any questions or comments about this advisory please go to the discussion on [GitHub](https://github.com/NiklasMerz/cordova-plugin-fingerprint-aio/discussions/394).

Metadata

Created: 2023-11-02T20:44:41Z
Modified: 2023-11-02T20:44:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-7vfx-hfvm-rhr8/GHSA-7vfx-hfvm-rhr8.json
CWE IDs: ["CWE-617"]
Alternative ID: GHSA-7vfx-hfvm-rhr8
Finding: F138
Auto approve: 1