CVE-2020-35137

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-35137
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
https://github.com/optiv/rustyIron Exploit Third Party Advisory
https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US Product
https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:*
cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:*
History

07 Nov 2023, 03:21

Type Values Removed Values Added
Summary ** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature. The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.

03 Mar 2023, 14:00

Type Values Removed Values Added
References (MISC) https://github.com/optiv/rustyIron - (MISC) https://github.com/optiv/rustyIron - Exploit, Third Party Advisory
References (MISC) https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration - (MISC) https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration - Exploit, Third Party Advisory
References (MISC) https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US - (MISC) https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US - Product
First Time Mobileiron mobile\@work
Mobileiron
CVSS v2 : unknown
v3 : unknown 		v2 : 4.3
v3 : 7.5
CWE CWE-798
CPE cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:*

01 Mar 2023, 17:15

Type Values Removed Values Added
Summary ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: the reported issue is not a vulnerability or exposure. Notes: This is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, we do not plan change to make any changes to this feature. ** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.
References
  • (MISC) https://github.com/optiv/rustyIron -
  • (MISC) https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration -
  • (MISC) https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US -

19 Aug 2021, 14:09

Type Values Removed Values Added
Summary The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: the reported issue is not a vulnerability or exposure. Notes: This is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, we do not plan change to make any changes to this feature.
References
  • {'url': 'https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US', 'name': 'https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US', 'tags': ['Product', 'Third Party Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://github.com/optiv/rustyIron', 'name': 'https://github.com/optiv/rustyIron', 'tags': ['Exploit', 'Third Party Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration', 'name': 'https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration', 'tags': ['Exploit', 'Third Party Advisory'], 'refsource': 'MISC'}
CPE cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:*
cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:*
CWE CWE-798
CVSS v2 : 4.3
v3 : 6.5 		v2 : unknown
v3 : unknown

02 Apr 2021, 19:43

Type Values Removed Values Added
References (MISC) https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration - (MISC) https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration - Exploit, Third Party Advisory
References (MISC) https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US - (MISC) https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US - Product, Third Party Advisory
References (MISC) https://github.com/optiv/rustyIron - (MISC) https://github.com/optiv/rustyIron - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : 4.3
v3 : 6.5
CWE CWE-798
CPE cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:*
cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:*

29 Mar 2021, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2021-03-29 20:15

Updated : 2024-04-11 01:08

NVD link : CVE-2020-35137

Mitre link : CVE-2020-35137

CVE.ORG link : CVE-2020-35137

JSON object : View

Products Affected

mobileiron

  • mobile\@work
CWE
CWE-798

Use of Hard-coded Credentials