Vulnerability Description
In the COVIDSafe application through 1.0.21 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows attackers to trick the application into establishing a connection over Bluetooth BR/EDR transport, which reveals the public Bluetooth address of the victim's phone without authorisation, bypassing the Bluetooth address randomisation protection in the user's phone.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Health | Covidsafe | <= 1.0.21 |
References
- https://covidsafe.watch/issue-register/Vendor Advisory
- https://github.com/AU-COVIDSafe/mobile-android/blob/b827cf3ccef72a3d38c6fc37466aExploitThird Party Advisory
- https://github.com/alwentiu/CVE-2020-14292ExploitThird Party Advisory
- https://www.health.gov.au/resources/apps-and-tools/covidsafe-appProductThird Party Advisory
- https://covidsafe.watch/issue-register/Vendor Advisory
- https://github.com/AU-COVIDSafe/mobile-android/blob/b827cf3ccef72a3d38c6fc37466aExploitThird Party Advisory
- https://github.com/alwentiu/CVE-2020-14292ExploitThird Party Advisory
- https://www.health.gov.au/resources/apps-and-tools/covidsafe-appProductThird Party Advisory
FAQ
What is CVE-2020-14292?
CVE-2020-14292 is a vulnerability with a CVSS score of 5.7 (MEDIUM). In the COVIDSafe application through 1.0.21 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows attackers to trick the application into establishing a connection ov...
How severe is CVE-2020-14292?
CVE-2020-14292 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-14292?
Check the references section above for vendor advisories and patch information. Affected products include: Health Covidsafe.