Apache Cordova has re-visited CVE-2015-5256 "Apache Cordova vulnerable to improper application of whitelist restrictions on Android”. Upon further investigation we found that the vulnerability is more limited than was previously understood. We are lowering the severity to Low, and updating the description, affected versions, and upgrade path.
CVE-2015-5257 continues to be a valid vulnerability present in Cordova 3.6.4 and this is fixed in later versions of Cordova, and we want to encourage users to upgrade to 4.1.1 and for users needing to support Marshmallow (API 23+) we recommend to upgrade to Cordova Android 5.1.x.
When using the Cordova CLI, the command to use 4.1.1 or 5.1.0 of Cordova Android is:
cordova platform add email@example.com cordova platform add firstname.lastname@example.org
The security issues are CVE-2015-5256 and CVE-2015-5257
For your convenience, the text of the CVEs are included here.
CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions on Android
Versions Affected: Cordova Android with whitelist functionality
Android applications created using Apache Cordova that use a remote server contain a vulnerability where whitelist restrictions for urls using protocols http and https are not properly applied. Whitelist cannot block network redirects from a whitelisted remote website to a non-whitelisted website.
There is no specific software patch for this vulnerability. Developers that are concerned about this should make sure to only whitelist trusted websites, and make sure that whitelisted websites don’t redirect to a malicious website. Developers should also use SSL, as well as Content Security Policy(CSP) to further mitigate this issue. It’s always recommended for developers to upgrade to the latest version of Cordova Android.
Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc
CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android
Vendor: The Apache Software Foundation
Versions Affected: Cordova Android versions up to 3.6.4
Developers who are concerned about this issue should rebuild their applications with Cordova Android 4.1.1 or later. Versions after 3.6.4 do not contain this vulnerability.
Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team