CVE-2020-35137

Опубликовано: 29 мар. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 4.3

EPSS Низкий

Описание

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.

Ссылки

https://github.com/optiv/rustyIron
Exploit
Third Party Advisory
https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US
Product
https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration
Exploit
Third Party Advisory
https://github.com/optiv/rustyIron
Exploit
Third Party Advisory
https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US
Product
https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:*

Версия до 2021-03-22 (включая)

cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:*

Версия до 2021-03-22 (включая)

EPSS

Процентиль: 63%

0.0045

Низкий

7.5 High

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-798

Связанные уязвимости

GHSA-wrvw-xh7r-3r2g