Vulnerability Details : CVE-2014-0647
The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.
Products affected by CVE-2014-0647
- cpe:2.3:a:starbucks:starbucks:2.6.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-0647
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 23 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-0647
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2014-0647
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-0647
-
http://www.securityfocus.com/bid/64942
Starbucks CVE-2014-0647 Information Disclosure Vulnerability
-
http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/
The Starbucks bug: not as awful as reported | ZDNet
-
http://seclists.org/fulldisclosure/2014/Jan/64
Full Disclosure: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application
-
https://itunes.apple.com/us/app/starbucks/id331177714?mt=8
Starbucks on the App Store
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/90412
Starbucks session.clslog information disclosure CVE-2014-0647 Vulnerability Report
-
http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/
Starbucks fixes iOS app bugs | ZDNet
-
http://seclists.org/fulldisclosure/2014/Jan/123
Full Disclosure: Re: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application
-
http://www.securityfocus.com/archive/1/530756/100/0/threaded
SecurityFocus
Jump to