Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-6636

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2012-6636
Last Modified 03 Mar 2014 03:30:37
Published 02 Mar 2014 11:50:46
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-6636

Summary

The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.

Vulnerable Systems

Application

  • Google Android Api 1.0

  • Google Android Api 10.0

  • Google Android Api 11.0

  • Google Android Api 12.0

  • Google Android Api 13.0

  • Google Android Api 14.0

  • Google Android Api 15.0

  • Google Android Api 16.0

  • Google Android Api 2.0

  • Google Android Api 3.0

  • Google Android Api 4.0

  • Google Android Api 5.0

  • Google Android Api 6.0

  • Google Android Api 7.0

  • Google Android Api 8.0

  • Google Android Api 9.0


References

MISC - http://www.internetsociety.org/ndss2014/programme#session3

MISC - http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf

MLIST - [oss-security] 20140207 Re: CVE request: multiple issues in Apache Cordova/PhoneGap

CONFIRM - http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29

CONFIRM - http://developer.android.com/reference/android/os/Build.VERSION_CODES.html#JELLY_BEAN_MR1

MISC - http://50.56.33.56/blog/?p=314


Last Updated: 27 May 2016 10:56:46