PT-2020-13305 · Australian Government · Covidsafe
Published
2020-05-18
·
Updated
2021-07-21
·
CVE-2020-12860
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
COVIDSafe versions through v1.0.17
Description
The issue allows a remote attacker to access phone name and model information. This is possible because a BLE device can have four roles and COVIDSafe uses all of them, enabling re-identification of a device and potentially the identification of the owner's name.
Recommendations
For COVIDSafe versions through v1.0.17, consider restricting the use of BLE functionalities until a patch is available. As a temporary workaround, users may want to limit the app's access to device information to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Covidsafe