CVE-2011-2344
First published: Fri Jul 08 2011(Updated: )
Android Picasa in Android 3.0 and 2.x through 2.3.4 uses a cleartext HTTP session when transmitting the authToken obtained from ClientLogin, which allows remote attackers to gain privileges and access private pictures and web albums by sniffing the token from connections with picasaweb.google.com.
Credit: cve-coordination@google.com chrome-cve-admin@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Android | =2.1 | |
| Android | =2.2 | |
| Android | =2.2-rev1 | |
| Android | =2.2.1 | |
| Android | =2.2.2 | |
| Android | =2.3-rev1 | |
| Android | =2.3.3 | |
| Android | =2.3.4 | |
| Android | =3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://android.git.kernel.org/?p=platform/packages/apps/Gallery3D.git%3Ba=commit%3Bh=7a763db1c15bb6436be85a3f23382e4171970b6e
- http://android.git.kernel.org/?p=platform/packages/apps/Gallery3D.git%3Ba=commit%3Bh=9a418de454e5ce078c98f41b5c18e3bb9175bd20
- http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html
- http://android.git.kernel.org/?p=platform/packages/apps/Gallery3D.git;a=commit;h=7a763db1c15bb6436be85a3f23382e4171970b6e
- http://android.git.kernel.org/?p=platform/packages/apps/Gallery3D.git;a=commit;h=9a418de454e5ce078c98f41b5c18e3bb9175bd20
Frequently Asked Questions
What is the severity of CVE-2011-2344?
The severity of CVE-2011-2344 is classified as high due to the risk of unauthorized access to private pictures and web albums.
How do I fix CVE-2011-2344?
To fix CVE-2011-2344, update to a version of Android that does not use cleartext HTTP for transmitting authTokens.
What are the impacts of CVE-2011-2344?
CVE-2011-2344 allows remote attackers to sniff the authToken, potentially granting them access to private data in Picasa.
Which Android versions are affected by CVE-2011-2344?
CVE-2011-2344 affects Android versions 2.1, 2.2, 2.3, and 3.0.
Is it safe to use affected Android versions with Picasa?
Using affected Android versions with Picasa is not safe due to the risk of exposure of private data.
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-historical
- vendor/google
- canonical/android
- version/android/2.1
- version/android/2.2
- version/android/2.2-rev1
- version/android/2.2.1
- version/android/2.2.2
- version/android/2.3-rev1
- version/android/2.3.3
- version/android/2.3.4
- version/android/3.0