Insertion of Sensitive Information into Log File Affecting cordova package, versions [,6.0.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Insertion of Sensitive Information into Log File vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-UNMANAGED-CORDOVA-2370315
  • published26 Jan 2022
  • disclosed9 May 2017
  • creditUnknown

Introduced: 9 May 2017

CVE-2016-6799  (opens in a new tab)
CWE-532  (opens in a new tab)

How to fix?

Upgrade cordova to version 6.0.0 or higher.

Overview

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.

CVSS Base Scores

version 3.1