Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Feb 2014 23:32:23 -0500 (EST)
From: cve-assign@...re.org
To: oss-sec-addjsif@...p.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: CVE-2014-1939 searchBoxJavaBridge_ in Android Jelly Bean

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From: "Joshua J. Drake" <oss-sec-addjsif@...p.org>
> Subject: Re: CVEs for Android addJavascriptInterface issues (was: multiple issues in Apache Cordova/PhoneGap)
> Date: Sat, 8 Feb 2014 00:47:05 -0600
> Message-ID: <20140208064704.GA17711@...
>
> You may have seen recently released Metasploit module that allows a
> remote compromise of the Google Glass browser using an incorrectly
> exposed Javascript bridge via the "searchBoxJavaBridge_" object. This
> exposes an instance of android.webkit.SearchBoxImpl in older versions
> of the Android browser.

Use CVE-2014-1939. For example, see:

https://android.googlesource.com/platform/frameworks/base/+/jb-release/core/java/android/webkit/
https://android.googlesource.com/platform/frameworks/base/+/jb-release/core/java/android/webkit/SearchBoxImpl.java

versus:

https://android.googlesource.com/platform/frameworks/base/+/kitkat-release/core/java/android/webkit/

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS+acoAAoJEKllVAevmvmssJYIAKETcBfP8SJYDEY7bPoC8Ivc
oJgTS05tzQMb+w+sju0vl0Ph19TTp225AfMrrB6gD1V5MlkZvPcSF7YsyuDvWON1
sBoz93bmnVe54+1potTAa6ECkWNbILOx7ZHFxwM5vj+Iyd7jE5RjAnRl/2bYQUvo
eRneKDuI+Ayc7Uq8Jk8HblaNgHVqW6oxrREKotiLJnP8kbaBAqQBgZdoE5PYsGvj
KVMU+2WrgDTb3eD6SZUvumF7WNaQ08iUSbhgED2Yv79JXs3jerWQ4gbdSd1YXgwO
PWY3OcU/iyMNfZZqgxZypk483tVo8FkEftDsHA/5b9/HMMbf/NSS62Gn9sVHmJk=
=E2Z7
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ