CVE-2021-43849
cordova-plugin-fingerprint-aio DoS vulnerability
Description
## Summary: Sending a specially crafted intent with an invalid/empty extras `de.niklasmerz.cordova.biometric.BiometricActivity` can cause the app to crash. sending the intent repeatedly can prevent the app using this plugin from working, resulting in a denial of service (DoS) condition. ## Impact A 3rd party app/remote attacker can exploit this vulnerability by sending a malicious intent to the target device, causing the app using this plugin from working to crash or become unresponsive, resulting in a denial of service (DoS) condition. ## Mitigation Version 5.0.1 of the cordova-plugin-fingerprint-aio doesn't export the activity anymore and is no longer vulnerable. If you want to fix older versions change the attribute `android:exported` of this code snippet in plugin.xml to `false`: ```xml <config-file target="AndroidManifest.xml" parent="application"> <activity android:name="de.niklasmerz.cordova.biometric.BiometricActivity" android:theme="@style/TransparentTheme" android:exported="false"/> </config-file> ``` ## Patches Please upgrade to version 5.0.1 as soon as possible. Please check out the release on [GitHub](https://github.com/NiklasMerz/cordova-plugin-fingerprint-aio/releases/tag/v5.0.1). ## For more information If you have any questions or comments about this advisory please go to the discussion on [GitHub](https://github.com/NiklasMerz/cordova-plugin-fingerprint-aio/discussions/394).
How to fix CVE-2021-43849
To remediate CVE-2021-43849, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.1 or later
Is CVE-2021-43849 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 5.0.1