Vulnerability Details : CVE-2020-24721
An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework.
Products affected by CVE-2020-24721
- cpe:2.3:a:apple:exposure_notifications:*:*:*:*:*:iphone_os:*:*
- cpe:2.3:a:google:exposure_notifications:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-24721
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 12 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-24721
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.3
|
LOW | AV:L/AC:M/Au:N/C:P/I:P/A:N |
3.4
|
4.9
|
NIST | |
5.7
|
MEDIUM | CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
0.5
|
5.2
|
NIST |
References for CVE-2020-24721
-
http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html
Corona Exposure Notifications API Data Leakage ≈ Packet StormThird Party Advisory;VDB Entry
-
https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt
nl-covid19-notification-app-coordination/CVE-2020-24721.txt at master · minvws/nl-covid19-notification-app-coordination · GitHubThird Party Advisory
-
https://seclists.org/fulldisclosure/2020/Sep/53
Full Disclosure: CVE-2020-24721: Corona Exposure Notifications API: risk of coercion/data leakage [vs]Mailing List;Third Party Advisory
-
https://blog.google/inside-google/company-announcements/update-exposure-notifications
An update on Exposure NotificationsVendor Advisory
Jump to