Vulnerability Details : CVE-2021-31815
GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator) that read system log data and send it to third parties. NOTE: a news outlet (The Markup) states that they received a vendor response indicating that fix deployment "began several weeks ago and will be complete in the coming days."
Products affected by CVE-2021-31815
- Google » Google/apple Exposure Notifications » For AndroidVersions up to, including, (<=) 2021-04-27cpe:2.3:a:google:google\/apple_exposure_notifications:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-31815
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 11 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-31815
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
1.8
|
1.4
|
NIST |
CWE ids for CVE-2021-31815
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-31815
-
https://themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt
Google Promised Its Contact Tracing App Was Completely Private—But It Wasn’t – The MarkupExploit;Press/Media Coverage;Third Party Advisory
-
https://blog.appcensus.io/2021/04/27/why-google-should-stop-logging-contact-tracing-data/
Why Google Should Stop Logging Contact-Tracing Data – The AppCensus BlogExploit;Third Party Advisory
Jump to