The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.
References
Link | Resource |
---|---|
https://github.com/optiv/rustyIron | Exploit Third Party Advisory |
https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US | Product |
https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 03:21
Type | Values Removed | Values Added |
---|---|---|
Summary | The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature. |
03 Mar 2023, 14:00
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/optiv/rustyIron - Exploit, Third Party Advisory | |
References | (MISC) https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration - Exploit, Third Party Advisory | |
References | (MISC) https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US - Product | |
First Time |
Mobileiron mobile\@work
Mobileiron |
|
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 7.5 |
CWE | CWE-798 | |
CPE | cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:* cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:* |
01 Mar 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
Summary | ** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature. | |
References |
|
19 Aug 2021, 14:09
Type | Values Removed | Values Added |
---|---|---|
Summary | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: the reported issue is not a vulnerability or exposure. Notes: This is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, we do not plan change to make any changes to this feature. | |
References |
|
|
CPE | cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:* |
|
CWE | ||
CVSS |
v2 : v3 : |
v2 : unknown
v3 : unknown |
02 Apr 2021, 19:43
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration - Exploit, Third Party Advisory | |
References | (MISC) https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US - Product, Third Party Advisory | |
References | (MISC) https://github.com/optiv/rustyIron - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.5 |
CWE | CWE-798 | |
CPE | cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:* cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:* |
29 Mar 2021, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-03-29 20:15
Updated : 2024-04-11 01:08
NVD link : CVE-2020-35137
Mitre link : CVE-2020-35137
CVE.ORG link : CVE-2020-35137
JSON object : View
Products Affected
mobileiron
- mobile\@work
CWE
CWE-798
Use of Hard-coded Credentials