Apache Cordova Plugin camera vulnerable to information exposure


Apache Cordova Plugin camera is a plugin for Apache Cordova applications, which provides an API for taking pictures and for choosing images from the system image library.
Vulnerable versions of Apache Cordova Plugin camera, when used in Android applications, use the external storage on the device when available, as an image file cache. Any applications with permission READ_EXTERNAL_STORAGE (or WRITE_EXTERNAL_STORAGE also) can access these cache files(CWE-200).

On the source code repository, the commit to fix the vulnerability is done for version 4.2.0, but version 4.2.0 is not officially released. Hence the fixed version is 5.0.0.

Akihiro Matsumura of Saison Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.3 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

Apache Software Foundation
  • Apache Cordova Plugin camera versions prior to 5.0.0


When a user is tricked into installing some malicious application to the Android device which has an external storage, and the user take a photo with the vulnerable application, then the image (photo) file is cached on the external storage. The malicious application may retrieve the file contents from the external storage.

[Update the Software]
Android cordova application with Cordova Plugin camera should be updated with that plugin version 5.0.0 or higher.
Vendor Information

Apache Software Foundation
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-11990

  1. JVN : JVN#59779918
Revision History

  • [2020/12/07]
      Web page was published