CVE-2021-43849
cordova-plugin-fingerprint-aio DoS vulnerability
描述
## Summary: Sending a specially crafted intent with an invalid/empty extras `de.niklasmerz.cordova.biometric.BiometricActivity` can cause the app to crash. sending the intent repeatedly can prevent the app using this plugin from working, resulting in a denial of service (DoS) condition. ## Impact A 3rd party app/remote attacker can exploit this vulnerability by sending a malicious intent to the target device, causing the app using this plugin from working to crash or become unresponsive, resulting in a denial of service (DoS) condition. ## Mitigation Version 5.0.1 of the cordova-plugin-fingerprint-aio doesn't export the activity anymore and is no longer vulnerable. If you want to fix older versions change the attribute `android:exported` of this code snippet in plugin.xml to `false`: ```xml <config-file target="AndroidManifest.xml" parent="application"> <activity android:name="de.niklasmerz.cordova.biometric.BiometricActivity" android:theme="@style/TransparentTheme" android:exported="false"/> </config-file> ``` ## Patches Please upgrade to version 5.0.1 as soon as possible. Please check out the release on [GitHub](https://github.com/NiklasMerz/cordova-plugin-fingerprint-aio/releases/tag/v5.0.1). ## For more information If you have any questions or comments about this advisory please go to the discussion on [GitHub](https://github.com/NiklasMerz/cordova-plugin-fingerprint-aio/discussions/394).
如何修補 CVE-2021-43849
要修補 CVE-2021-43849,請將受影響套件升級到下列已修補版本。
- —升級至 5.0.1 或更新版本
CVE-2021-43849 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 5.0.1