Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Nov 2015 11:39:56 -0800
From: Joe Bowser <>
To:, Roee Hay <>, 
	"" <>, dev <>, 
	"" <>,,
Subject: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache Cordova Android

CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android

Severity: Low

The Apache Software Foundation

Versions Affected:
Cordova Android versions up to and including 3.6.4


Cordova uses a bridge that allows the Native Application to communicate
with the HTML and Javascript that control the user interface.  To protect
this bridge on Android, the
framework uses a BridgeSecret to protect it from third-party hijacking.
However, the BridgeSecret is not sufficiently random and can be determined
in certain scenarios.

Upgrade Path:
Developers who are concerned about this issue should rebuild their
applications with Cordova Android 4.1.1 or later.  Version 3.7.1 and later
do not contain this vulnerability.

Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ