Vulnerability Details : CVE-2020-12270
React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it was a false alert if contact-history comparison fails (i.e., an F0 is not actually part of the contact history obtained from the device of this recipient, or this recipient is not actually part of the contact history obtained from the device of an F0)
Products affected by CVE-2020-12270
- cpe:2.3:a:bluezone:bluezone:1.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-12270
0.55%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-12270
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.3
|
LOW | AV:A/AC:L/Au:N/C:P/I:N/A:N |
6.5
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2020-12270
-
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-12270
-
https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/TraceCovidModule.java#L98
react-native-bluetooth-scan/TraceCovidModule.java at d9ee70fd594093a30e50b6e62a7593a8397c2dab · BluezoneGlobal/react-native-bluetooth-scan · GitHubThird Party Advisory
-
https://github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/CHANGELOG.md
bluezone-app/CHANGELOG.md at afa15fcec391f0edc51d0486a4ca84dd2520bbb3 · BluezoneGlobal/bluezone-app · GitHubRelease Notes;Third Party Advisory
-
https://bluezone.ai/CVE
-
https://github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/package.json#L27
bluezone-app/package.json at afa15fcec391f0edc51d0486a4ca84dd2520bbb3 · BluezoneGlobal/bluezone-app · GitHubThird Party Advisory
-
https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/AndroidManifest.xml#L11-L12
react-native-bluetooth-scan/AndroidManifest.xml at d9ee70fd594093a30e50b6e62a7593a8397c2dab · BluezoneGlobal/react-native-bluetooth-scan · GitHubThird Party Advisory
-
https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/BluezonerIdGenerator.java#L18-L28
react-native-bluetooth-scan/BluezonerIdGenerator.java at d9ee70fd594093a30e50b6e62a7593a8397c2dab · BluezoneGlobal/react-native-bluetooth-scan · GitHubThird Party Advisory
-
https://vnhacker.blogspot.com/2020/04/vietnams-contact-tracing-app_26.html
Vietnam's contact tracing app broadcasting a fixed IDExploit;Third Party Advisory
Jump to