CVE-2014-0647 - OpenCVE

The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apple	Iphone Os
Starbucks	Starbucks

Configuration 1 [-]

AND

cpe:2.3:a:starbucks:starbucks:2.6.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*

References

Link	Resource
http://seclists.org/fulldisclosure/2014/Jan/123
http://seclists.org/fulldisclosure/2014/Jan/64
http://www.osvdb.org/102514
http://www.securityfocus.com/archive/1/530756/100/0/threaded
http://www.securityfocus.com/bid/64942
http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/
http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/
https://exchange.xforce.ibmcloud.com/vulnerabilities/90412
https://itunes.apple.com/us/app/starbucks/id331177714?mt=8

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2014-01-28T00:00:00

Updated: 2018-10-09T18:57:01

Reserved: 2014-01-02T00:00:00

Link: CVE-2014-0647

JSON object: View

NVD Information

Status : Modified

Published: 2014-01-28T00:55:03.957

Modified: 2018-10-09T19:42:04.093

Link: CVE-2014-0647

JSON object: View

Redhat Information

No data.

CWE

CWE-255

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-13T00:00:00", "descriptions": [{"lang": "en", "value": "The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/"}, {"name": "20140113 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Jan/64"}, {"tags": ["x_refsource_MISC"], "url": "https://itunes.apple.com/us/app/starbucks/id331177714?mt=8"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/"}, {"name": "20140114 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/530756/100/0/threaded"}, {"name": "20140117 Re: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Jan/123"}, {"name": "64942", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/64942"}, {"name": "102514", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/102514"}, {"name": "starbucks-cve20140647-info-disclosure(90412)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90412"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-0647", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/", "refsource": "MISC", "url": "http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/"}, {"name": "20140113 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Jan/64"}, {"name": "https://itunes.apple.com/us/app/starbucks/id331177714?mt=8", "refsource": "MISC", "url": "https://itunes.apple.com/us/app/starbucks/id331177714?mt=8"}, {"name": "http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/", "refsource": "MISC", "url": "http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/"}, {"name": "20140114 [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/530756/100/0/threaded"}, {"name": "20140117 Re: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Jan/123"}, {"name": "64942", "refsource": "BID", "url": "http://www.securityfocus.com/bid/64942"}, {"name": "102514", "refsource": "OSVDB", "url": "http://www.osvdb.org/102514"}, {"name": "starbucks-cve20140647-info-disclosure(90412)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90412"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-0647", "datePublished": "2014-01-28T00:00:00", "dateReserved": "2014-01-02T00:00:00", "dateUpdated": "2018-10-09T18:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:starbucks:starbucks:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "1F970B50-FBA6-4885-9D5A-E8D78B16BFD2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "340C4071-1447-477F-942A-8E09EA29F917", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog."}, {"lang": "es", "value": "La aplicaci\u00f3n Starbucks 2.6.1 para iOS almacena informaci\u00f3n sensible en texto plano en el archivo log de Crashlyrics (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), lo que permite a atacantes descubrir nombres de usuario, contrase\u00f1as, y direcciones de e-mail a trav\u00e9s de una aplicaci\u00f3n que lea session.clslog."}], "id": "CVE-2014-0647", "lastModified": "2018-10-09T19:42:04.093", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-28T00:55:03.957", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2014/Jan/123"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2014/Jan/64"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/102514"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/530756/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/64942"}, {"source": "cve@mitre.org", "url": "http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/"}, {"source": "cve@mitre.org", "url": "http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90412"}, {"source": "cve@mitre.org", "url": "https://itunes.apple.com/us/app/starbucks/id331177714?mt=8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}