oss-sec mailing list archives
Re: CVE-2014-1939 searchBoxJavaBridge_ in Android Jelly Bean
From: Nick Kralevich <nnk () google com>
Date: Tue, 18 Feb 2014 10:43:43 -0800
This particular issue was previously assigned a CVE by JPCERT, specifically, CVE-2013-4710. See https://jvn.jp/en/jp/JVN53768697/index.html for additional information. CVE-2014-1939 should be marked as a DUPLICATE of CVE-2013-4710. -- Nick On Mon, Feb 10, 2014 at 8:32 PM, <cve-assign () mitre org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1From: "Joshua J. Drake" <oss-sec-addjsif () qoop org> Subject: Re: CVEs for Android addJavascriptInterface issues (was: multiple issues in Apache Cordova/PhoneGap) Date: Sat, 8 Feb 2014 00:47:05 -0600 Message-ID: <20140208064704.GA17711@dq> You may have seen recently released Metasploit module that allows a remote compromise of the Google Glass browser using an incorrectly exposed Javascript bridge via the "searchBoxJavaBridge_" object. This exposes an instance of android.webkit.SearchBoxImpl in older versions of the Android browser.Use CVE-2014-1939. For example, see: https://android.googlesource.com/platform/frameworks/base/+/jb-release/core/java/android/webkit/ https://android.googlesource.com/platform/frameworks/base/+/jb-release/core/java/android/webkit/SearchBoxImpl.java versus: https://android.googlesource.com/platform/frameworks/base/+/kitkat-release/core/java/android/webkit/ - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS+acoAAoJEKllVAevmvmssJYIAKETcBfP8SJYDEY7bPoC8Ivc oJgTS05tzQMb+w+sju0vl0Ph19TTp225AfMrrB6gD1V5MlkZvPcSF7YsyuDvWON1 sBoz93bmnVe54+1potTAa6ECkWNbILOx7ZHFxwM5vj+Iyd7jE5RjAnRl/2bYQUvo eRneKDuI+Ayc7Uq8Jk8HblaNgHVqW6oxrREKotiLJnP8kbaBAqQBgZdoE5PYsGvj KVMU+2WrgDTb3eD6SZUvumF7WNaQ08iUSbhgED2Yv79JXs3jerWQ4gbdSd1YXgwO PWY3OcU/iyMNfZZqgxZypk483tVo8FkEftDsHA/5b9/HMMbf/NSS62Gn9sVHmJk= =E2Z7 -----END PGP SIGNATURE-----
-- Nick Kralevich | Android Security | nnk () google com | 650.214.4037
Current thread:
- CVE-2014-1939 searchBoxJavaBridge_ in Android Jelly Bean cve-assign (Feb 10)
- Re: CVE-2014-1939 searchBoxJavaBridge_ in Android Jelly Bean Joshua J. Drake (Feb 11)
- Re: CVE-2014-1939 searchBoxJavaBridge_ in Android Jelly Bean Nick Kralevich (Feb 18)
- Re: CVE-2014-1939 searchBoxJavaBridge_ in Android Jelly Bean cve-assign (Feb 18)