CVE-2021-31815

{"id": "CVE-2021-31815", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2021-04-28T02:15:07.097", "references": [{"url": "https://blog.appcensus.io/2021/04/27/why-google-should-stop-logging-contact-tracing-data/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator) that read system log data and send it to third parties. NOTE: a news outlet (The Markup) states that they received a vendor response indicating that fix deployment \"began several weeks ago and will be complete in the coming days.\""}, {"lang": "es", "value": "GAEN (tambi\u00e9n conocido como Google/Apple Exposure Notifications) hasta el 2021-04-27 en Android permite a los atacantes obtener informaci\u00f3n sensible, como el historial de localizaci\u00f3n de un usuario, el gr\u00e1fico social en persona y (a veces) el estado de infecci\u00f3n de COVID-19, porque los identificadores de proximidad y las direcciones MAC se escriben en el registro del sistema Android, y muchos dispositivos Android tienen aplicaciones (preinstaladas por el fabricante de hardware o el operador de red) que leen los datos del registro del sistema y los env\u00edan a terceros. NOTA: un medio de comunicaci\u00f3n (The Markup) afirma haber recibido una respuesta del proveedor indicando que el despliegue de la correcci\u00f3n \"comenz\u00f3 hace varias semanas y se completar\u00e1 en los pr\u00f3ximos d\u00edas.\""}], "lastModified": "2021-05-07T18:28:32.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:google\\/apple_exposure_notifications:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "7A93DEB7-285A-454B-B1EE-2A633249408C", "versionEndIncluding": "2021-04-27"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}