oss-security - CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Fri, 20 Nov 2015 11:39:54 -0800
From: Joe Bowser <bowserj@...il.com>
To: vuls@...ert.or.jp, "security@...che.org" <security@...che.org>, dev <dev@...dova.apache.org>, 
	"private@...dova.apache.org" <private@...dova.apache.org>, bugtraq@...urityfocus.com, 
	oss-security@...ts.openwall.com
Subject: CVE-2015-5256: Apache Cordova vulnerable to improper application of
 whitelist restrictions

======================================================================
CVE-2015-5256: Apache Cordova vulnerable to improper application of
whitelist restrictions

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android 3.7.2 and earlier

Description:
Android applications created using Apache Cordova that use a remote server
contain a vulnerability where whitelist restrictions are not properly
applied.
Improperly crafted URIs could be used to circumvent the whitelist, allowing
for the execution of non-whitelisted Javascript.

Upgrade path:
Developers who are concerned about this should rebuild their applications
with Cordova Android 4.1.1 or later and use the new whitelist.  Developers
using remote content roots should also use SSL, as well as Content Security
Policy to further mitigate this issue.

Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.