JVNDB-2020-000081

Apache Cordova Plugin camera vulnerable to information exposure

Apache Cordova Plugin camera is a plugin for Apache Cordova applications, which provides an API for taking pictures and for choosing images from the system image library.
Vulnerable versions of Apache Cordova Plugin camera, when used in Android applications, use the external storage on the device when available, as an image file cache. Any applications with permission READ_EXTERNAL_STORAGE (or WRITE_EXTERNAL_STORAGE also) can access these cache files(CWE-200).

On the source code repository, the commit to fix the vulnerability is done for version 4.2.0, but version 4.2.0 is not officially released. Hence the fixed version is 5.0.0.

Akihiro Matsumura of Saison Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Apache Software Foundation

• Apache Cordova Plugin camera versions prior to 5.0.0

When a user is tricked into installing some malicious application to the Android device which has an external storage, and the user take a photo with the vulnerable application, then the image (photo) file is cached on the external storage. The malicious application may retrieve the file contents from the external storage.

[Update the Software]
Android cordova application with Cordova Plugin camera should be updated with that plugin version 5.0.0 or higher.

Apache Software Foundation

• Apache Cordova : Security Advisory CVE-2020-11990
• GitHub : Cache images in device storage, devices have enough space now.

1. Information Exposure(CWE-200) [IPA Evaluation]

1. CVE-2020-11990

1. JVN : JVN#59779918
2. National Vulnerability Database (NVD) : CVE-2020-11990

• [2020/12/07]
    Web page was published