HIGH🇬🇧 English

CVE-2020-35137

CVSS 7.5v3.1pub. 2021-03-29upd. 2024-11-21

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Mobileiron Mobile\@work

    APP
    Mobileiron
    ≤ 2021-03-22
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2020-35138CRITICAL9.8ten sam produkt

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encry...

CVE-2021-3391MEDIUM5.3ten sam produkt

MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexiste...

CVE-2014-5903MEDIUM5.4ten sam produkt

The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates fr...

CVE-2020-15505CRITICAL9.8⚠ KEVten sam vendor

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, ...

CVE-2020-15506CRITICAL9.8ten sam vendor

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0,...