Vulnerability Description
The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bluecats | Bluecats Reveal | < 3.0.19 |
Related Weaknesses (CWE)
References
- https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystExploitThird Party Advisory
- https://play.google.com/store/apps/details?id=com.bluecats.bcrevealProduct
- https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystExploitThird Party Advisory
- https://play.google.com/store/apps/details?id=com.bluecats.bcrevealProduct
FAQ
What is CVE-2019-5626?
CVE-2019-5626 is a vulnerability with a CVSS score of 7.8 (HIGH). The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (...
How severe is CVE-2019-5626?
CVE-2019-5626 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-5626?
Check the references section above for vendor advisories and patch information. Affected products include: Bluecats Bluecats Reveal.