CVE-2014-1423 - OpenCVE

signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ubports	Ubuntu Touch
Signond Project	Signond

Configuration 1 [-]

cpe:2.3:a:signond_project:signond:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:ubports:ubuntu_touch:-:*:*:*:*:*:*:*

References

Link	Resource
http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644	Third Party Advisory
http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645	Third Party Advisory
https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: canonical

Published: 2014-11-14T00:00:00

Updated: 2020-05-07T22:25:16

Reserved: 2014-01-13T00:00:00

Link: CVE-2014-1423

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-05-07T23:15:11.310

Modified: 2020-05-12T20:15:08.583

Link: CVE-2014-1423

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"containers": {"cna": {"affected": [{"product": "signon", "vendor": "Ubuntu ", "versions": [{"lessThan": "8.57+15.04.20141127.1-0ubuntu1", "status": "affected", "version": "Ubuntu 15.04 signon", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Michael Zanetti"}], "datePublic": "2014-11-14T00:00:00", "descriptions": [{"lang": "en", "value": "signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-05-07T22:25:16", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644"}, {"tags": ["x_refsource_MISC"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"}], "source": {"defect": ["https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"], "discovery": "INTERNAL"}, "title": "Online Accounts Signon daemon gives out all oauth tokens to any app", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2014-11-14T00:00:00.000Z", "ID": "CVE-2014-1423", "STATE": "PUBLIC", "TITLE": "Online Accounts Signon daemon gives out all oauth tokens to any app"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "signon", "version": {"version_data": [{"version_affected": "<", "version_name": "Ubuntu 15.04 signon", "version_value": "8.57+15.04.20141127.1-0ubuntu1"}]}}]}, "vendor_name": "Ubuntu "}]}}, "credit": [{"lang": "eng", "value": "Michael Zanetti"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522 Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644", "refsource": "MISC", "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644"}, {"name": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645", "refsource": "MISC", "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645"}, {"name": "https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380", "refsource": "MISC", "url": "https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"}]}, "source": {"defect": ["https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"], "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2014-1423", "datePublished": "2014-11-14T00:00:00", "dateReserved": "2014-01-13T00:00:00", "dateUpdated": "2020-05-07T22:25:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:signond_project:signond:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3F079AB-3D0F-4A6A-B2A8-A875199B78A9", "versionEndExcluding": "8.57\\+15.04.20141127.1-0ubuntu1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ubports:ubuntu_touch:-:*:*:*:*:*:*:*", "matchCriteriaId": "5443E410-5EFD-4C9D-84E7-1EBE11780B52", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information."}, {"lang": "es", "value": "signond versiones anteriores a 8.57+15.04.20141127.1-0ubuntu1, como es usado en Ubuntu Touch, no restringi\u00f3 apropiadamente las aplicaciones a partir de consultar los tokens oath debido a unas comprobaciones incorrectas y la falta de instalaci\u00f3n de la signon-apparmor-extension. Un atacante podr\u00eda usar esto para crear una aplicaci\u00f3n de clics maliciosos que recopile tokens oauth para otras aplicaciones, exponiendo informaci\u00f3n confidencial."}], "id": "CVE-2014-1423", "lastModified": "2020-05-12T20:15:08.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2020-05-07T23:15:11.310", "references": [{"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@ubuntu.com", "type": "Secondary"}]}