Vulnerabilites related to tracetogether - tracetogether
Vulnerability from fkie_nvd
Published
2020-05-18 04:15
Modified
2024-11-21 05:00
Severity ?
Summary
OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| alberta | abtracetogether | - | |
| alberta | abtracetogether | - | |
| health | covidsafe | * | |
| health | covidsafe | - | |
| tracetogether | tracetogether | - | |
| tracetogether | tracetogether | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:alberta:abtracetogether:-:*:*:*:*:android:*:*",
"matchCriteriaId": "CCE03A6E-2BE9-473D-8FB3-C63499FC936B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:alberta:abtracetogether:-:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "35FD1BAA-06DA-4048-9175-7B6305FA90F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:health:covidsafe:*:*:*:*:*:android:*:*",
"matchCriteriaId": "17975F7E-BD3B-472D-ABBC-B828E43CE2A5",
"versionEndIncluding": "1.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:health:covidsafe:-:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "772EE84F-05D9-4561-8907-F61364B46B34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tracetogether:tracetogether:-:*:*:*:*:android:*:*",
"matchCriteriaId": "373055EF-19B0-417A-AAD9-DFE9476491B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tracetogether:tracetogether:-:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "39F397CD-004A-46A4-8EC1-33D26F2E3DD2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used."
},
{
"lang": "es",
"value": "OpenTrace, tal como es usado en COVIDSafe versiones hasta v1.0.17, TraceTogether, ABTraceTogether y otras aplicaciones en iOS y Android, permite a atacantes remotos conducir ataques de reidentificaci\u00f3n a largo plazo y posiblemente tener otro impacto no especificado, debido en la manera en como Bluetooth es usado."
}
],
"id": "CVE-2020-12856",
"lastModified": "2024-11-21T05:00:25.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-18T04:15:09.910",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://covidsafe.watch/issue-register/cve-2020-12856-long-term-tracking-and-possibly-enables-other-bluetooth-based-attack-vectors"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/README.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://covidsafe.watch/issue-register/cve-2020-12856-long-term-tracking-and-possibly-enables-other-bluetooth-based-attack-vectors"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/README.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-14 05:15
Modified
2024-11-21 05:00
Severity ?
Summary
The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| alberta | abtracetogether | - | |
| gov | protego_safe | - | |
| health | covidsafe | 1.0 | |
| health | covidsafe | 1.1 | |
| tracetogether | tracetogether | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:alberta:abtracetogether:-:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "35FD1BAA-06DA-4048-9175-7B6305FA90F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gov:protego_safe:-:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "3670D0D0-0043-4575-887B-CD75EA4BEB26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:health:covidsafe:1.0:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "39EB4CCA-71AA-4DE7-A3FE-5A535E9C34B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:health:covidsafe:1.1:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "94AB46DD-B889-4072-B63F-561E663C5FBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tracetogether:tracetogether:-:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "39F397CD-004A-46A4-8EC1-33D26F2E3DD2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n COVIDSafe (Australia) versiones 1.0 y 1.1 para iOS, permite a un atacante remoto bloquear la aplicaci\u00f3n, y en consecuencia interferir con el rastreo de contactos de COVID-19, por medio de un anuncio de Bluetooth que contiene datos del fabricante que son muy cortos. Esto se presenta debido a una llamada err\u00f3nea de OpenTrace manuData.subdata. Las aplicaciones ABTraceTogether (Alberta), ProteGO (Polonia), y TraceTogether (Singapur) tambi\u00e9n estaban afectadas."
}
],
"id": "CVE-2020-12717",
"lastModified": "2024-11-21T05:00:08.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-14T05:15:10.987",
"references": [
{
"source": "cve@mitre.org",
"url": "https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2020-12856
Vulnerability from cvelistv5
Published
2020-05-18 03:35
Modified
2024-08-04 12:04
Severity ?
EPSS score ?
Summary
OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/README.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://covidsafe.watch/issue-register/cve-2020-12856-long-term-tracking-and-possibly-enables-other-bluetooth-based-attack-vectors"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-18T03:57:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/README.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://covidsafe.watch/issue-register/cve-2020-12856-long-term-tracking-and-possibly-enables-other-bluetooth-based-attack-vectors"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12856",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing",
"refsource": "MISC",
"url": "https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing"
},
{
"name": "https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/README.md",
"refsource": "MISC",
"url": "https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/README.md"
},
{
"name": "https://covidsafe.watch/issue-register/cve-2020-12856-long-term-tracking-and-possibly-enables-other-bluetooth-based-attack-vectors",
"refsource": "MISC",
"url": "https://covidsafe.watch/issue-register/cve-2020-12856-long-term-tracking-and-possibly-enables-other-bluetooth-based-attack-vectors"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12856",
"datePublished": "2020-05-18T03:35:36",
"dateReserved": "2020-05-14T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12717
Vulnerability from cvelistv5
Published
2020-05-14 04:36
Modified
2024-08-04 12:04
Severity ?
EPSS score ?
Summary
The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected.
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.554Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-14T04:36:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12717",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/@wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708",
"refsource": "MISC",
"url": "https://medium.com/@wabz/covidsafe-ios-vulnerability-cve-2020-12717-30dc003f9708"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12717",
"datePublished": "2020-05-14T04:36:11",
"dateReserved": "2020-05-07T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}