JVNDB-2018-000133

cordova-plugin-ionic-webview vulnerable to path traversal

cordova-plugin-ionic-webview provided by npm, Inc. contains a path traversal vulnerability (CWE-22) .

This vulnerability was first reported to npm, Inc. by the below reporters then also reported to IPA. Based on the coordination request made by the reporters, JPCERT/CC coordinated with npm, Inc. and published this advisory on JVN.

Reporters: Tatsuya Sakamto and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.

Ionic

• cordova-plugin-ionic-webview versions prior to 2.2.0

According to nmp, Inc. below versions are not affected by this vulnerability.
* 2.0.0-beta.0
* 2.0.0-beta.1
* 2.0.0-beta.2
* 2.1.0-0

A remote attacker may obtain an arbitrary file such as a file related to an application on iOS device. As a result, contents of the file may be disclosed.

[Recreate iOS application incorporating the latest version of cordova-plugin-ionic-webview]
This vulnerability has been addressed in cordova-plugin-ionic-webview 2.2.0 and upper versions.
The developers of iOS applications using cordova-plugin-ionic-webview are recommended to recreate the applications incorporating the latest version of cordova-plugin-ionic-webview to resolve this vulnerability.

Ionic

• ionic-team : ionic-team/cordova-plugin-ionic-webview
• npm, Inc. : Path Traversal cordova-plugin-ionic-webview

1. Path Traversal(CWE-22) [IPA Evaluation]

1. CVE-2018-16202

1. JVN : JVN#69812763
2. National Vulnerability Database (NVD) : CVE-2018-16202

• [2018/12/21]
    Web page was published
• [2019/08/28]
    References : Content was added