PT-2021-22922 · Unknown · Com.Onepeloton.Erlich

Sam Quinn

Published

2021-10-25

Updated

2021-10-29

CVE-2021-40527

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Name of the Vulnerable Software and Affected Versions com.onepeloton.erlich versions up to and including 1.7.22

Description Exposure of sensitive information to an unauthorized actor in the mobile application allows a remote attacker to access developer files stored in an AWS S3 bucket by reading credentials stored in plain text within the application.

Recommendations For versions up to and including 1.7.22, update to a version that fixes the exposure of sensitive information to prevent unauthorized access to developer files stored in the AWS S3 bucket. As a temporary workaround, consider restricting access to the AWS S3 bucket until a patch is available.

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

CVE-2021-40527

Affected Products

Com.Onepeloton.Erlich

PT-2021-22922 · Unknown · Com.Onepeloton.Erlich

CVE-2021-40527

Weakness Enumeration

Related Identifiers

Affected Products

References · 6