CVE-2018-19981 — HIGH (7.2)

Q: How severe is CVE-2018-19981?

CVE-2018-19981 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-19981?

Check the references section above for vendor advisories and patch information. Affected products include: Amazon Aws Software Development Kit.

Vulnerability Description

Amazon AWS SDK <=2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service. An attacker can use these credentials to create authenticated and/or authorized requests. Note that the attacker must have "root" privilege access to the Android filesystem in order to exploit this vulnerability (i.e. the device has been compromised, such as disabling or bypassing Android's fundamental security mechanisms).

CVSS Score

7.2

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Amazon	Aws Software Development Kit	<= 2.8.5

Related Weaknesses (CWE)

CWE-312

References

https://aws-amplify.github.io/aws-sdk-android/docs/reference/com/amazonaws/auth/ExploitThird Party Advisory
https://raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulnsExploitThird Party Advisory
https://raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulnsExploitThird Party Advisory
https://raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulnsExploitThird Party Advisory
https://aws-amplify.github.io/aws-sdk-android/docs/reference/com/amazonaws/auth/ExploitThird Party Advisory
https://raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulnsExploitThird Party Advisory
https://raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulnsExploitThird Party Advisory
https://raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulnsExploitThird Party Advisory

FAQ

What is CVE-2018-19981?

CVE-2018-19981 is a vulnerability with a CVSS score of 7.2 (HIGH). Amazon AWS SDK <=2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service. An attacker can use these credentials to ...

How severe is CVE-2018-19981?

CVE-2018-19981 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-19981?

Check the references section above for vendor advisories and patch information. Affected products include: Amazon Aws Software Development Kit.