CVE-2015-5257/CVE-2015-8320: Weak Randomization of BridgeSecret for Apache Cordova Android
As of November 25, 2015, this blog post acknowledges that IBM is aware that Cordova announced two CVEs for vulnerabilities on the Android platform. This post will focus on CVE-2015-5257. The other CVE is still being worked on.
Note: On some sites, this CVE may be referred to as CVE-2015-8320. Red Hat made a typo mistake in their CVE using the same number as Cordova, so Cordova’s CVE got pushed to to CVE-2015-8320.
CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android
Vendor: The Apache Software Foundation
Versions Affected: Cordova Android versions up to 3.6.4
Upgreade Path: Developers who are concerned about this issue should rebuild their applications with Cordova Android 4.1.1 or later. Versions after 3.6.4 do not contain this vulnerability.
Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team</em>
iFixes will be available shortly for MobileFirst Platform Foundation versions 6.3, 7.0, and 7.1. All of the other earlier versions of the product are unaffected.