We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications.
CVE-2020-11990: Apache Cordova Plugin camera vulnerable to information disclosure
Type of Vulnerability:
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Vendor: The Apache Software Foundation
Possible attackers condition:
An attacker who can install (or lead the victim to install) the specially crafted (or malicious) Android application. Android documentation describes the external cache location as application specific, however, "There is no security enforced with these files. For example, any application holding Manifest.permission.WRITE_EXTERNAL_STORAGE can write to these files." ( and thereby read )
Android users that take pictures with an Apache Cordova based application and attached removable storage.
- Confidentiality is breached.
- The image file (photo) taken by the Android apps that was developed using the Apache Cordova camera plugin will be disclosed.
Cordova Android applications using the Camera plugin
( cordova-plugin-camera version 4.1.0 and below )
Developers who are concerned about this issue should install version 5.0.0 or higher of cordova-plugin-camera
Upgrade plugin and rebuild application, update deployments.
[Edit: Changed credit to individual]
Akihiro Matsumura of Saison Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
[Edit: Added links to JPCERT/CC advisory ]