CVE-2018-19981

Summary

CVE	CVE-2018-19981
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-04-04 15:29:00 UTC
Updated	2021-05-10 16:20:00 UTC
Description	Amazon AWS SDK <=2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service. An attacker can use these credentials to create authenticated and/or authorized requests. Note that the attacker must have "root" privilege access to the Android filesystem in order to exploit this vulnerability (i.e. the device has been compromised, such as disabling or bypassing Android's fundamental security mechanisms).

Risk And Classification

Problem Types: CWE-312

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Amazon	Amazon Web Services Software Development Kit	All	All	All	All
Application	Amazon	Aws Software Development Kit	All	All	All	All
Application	Amazon	Aws Software Development Kit	All	All	All	All

References

Reference	Source	Link	Tags
raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulns/aws/aws_sdk_sp...	MISC	raw.githubusercontent.com	Exploit, Third Party Advisory
CognitoCachingCredentialsProvider (AWS SDK for Android - 2.22.1)	MISC	aws-amplify.github.io	Exploit, Third Party Advisory
raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulns/aws/aws_sdk_sp...	MISC	raw.githubusercontent.com	Exploit, Third Party Advisory
raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulns/aws/aws_sdk_sp...	MISC	raw.githubusercontent.com	Exploit, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.