Vulnerability Description
An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Exposure Notifications | <= 1.5 |
| Exposure Notifications | <= 1.5 |
References
- http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-DaThird Party AdvisoryVDB Entry
- https://blog.google/inside-google/company-announcements/update-exposure-notificaVendor Advisory
- https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CThird Party Advisory
- https://seclists.org/fulldisclosure/2020/Sep/53Mailing ListThird Party Advisory
- http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-DaThird Party AdvisoryVDB Entry
- https://blog.google/inside-google/company-announcements/update-exposure-notificaVendor Advisory
- https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CThird Party Advisory
- https://seclists.org/fulldisclosure/2020/Sep/53Mailing ListThird Party Advisory
FAQ
What is CVE-2020-24721?
CVE-2020-24721 is a vulnerability with a CVSS score of 5.7 (MEDIUM). An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position...
How severe is CVE-2020-24721?
CVE-2020-24721 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-24721?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Exposure Notifications, Google Exposure Notifications.