Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-2344

Overview

Vulnerability Score 10.0 10.0
CVE Id CVE-2011-2344
Last Modified 08 Jul 2011 12:00:00
Published 08 Jul 2011 01:55:01
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2011-2344

Summary

Android Picasa in Android 3.0 and 2.x through 2.3.4 uses a cleartext HTTP session when transmitting the authToken obtained from ClientLogin, which allows remote attackers to gain privileges and access private pictures and web albums by sniffing the token from connections with picasaweb.google.com.

Vulnerable Systems

Operating System

  • Google Android 2.1

  • Google Android 2.2

  • Google Android 2.2.1

  • Google Android 2.2.2

  • Google Android 2.3

  • Google Android 2.3.3

  • Google Android 2.3.4

  • Google Android 3.0


References

MISC - http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

CONFIRM - http://android.git.kernel.org/?p=platform/packages/apps/Gallery3D.git;a=commit;h=9a418de454e5ce078c98f41b5c18e3bb9175bd20

CONFIRM - http://android.git.kernel.org/?p=platform/packages/apps/Gallery3D.git;a=commit;h=7a763db1c15bb6436be85a3f23382e4171970b6e


Last Updated: 27 May 2016 10:56:59