CVE-2012-6636
First published: Mon Mar 03 2014(Updated: )
The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google Android API | <=16.0 | |
| Google Android API | =1.0 | |
| Google Android API | =2.0 | |
| Google Android API | =3.0 | |
| Google Android API | =4.0 | |
| Google Android API | =5.0 | |
| Google Android API | =6.0 | |
| Google Android API | =7.0 | |
| Google Android API | =8.0 | |
| Google Android API | =9.0 | |
| Google Android API | =10.0 | |
| Google Android API | =11.0 | |
| Google Android API | =12.0 | |
| Google Android API | =13.0 | |
| Google Android API | =14.0 | |
| Google Android API | =15.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://50.56.33.56/blog/?p=314
- http://developer.android.com/reference/android/os/Build.VERSION_CODES.html#JELLY_BEAN_MR1
- http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29
- http://jvn.jp/en/jp/JVN62161191/index.html
- http://openwall.com/lists/oss-security/2014/02/07/9
- http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf
- http://www.internetsociety.org/ndss2014/programme#session3
- https://support.lenovo.com/us/en/product_security/len_6421
- http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object%2C%20java.lang.String%29
Frequently Asked Questions
What is the severity of CVE-2012-6636?
CVE-2012-6636 has a medium severity rating due to its potential to allow remote attackers to execute arbitrary methods on Java objects.
How do I fix CVE-2012-6636?
To fix CVE-2012-6636, update your Android API level to 17 or higher where the vulnerability has been addressed.
What versions are affected by CVE-2012-6636?
CVE-2012-6636 affects Android API versions 16 and below.
What is the impact of CVE-2012-6636?
The impact of CVE-2012-6636 allows attackers to use crafted JavaScript code to invoke arbitrary methods, compromising application security.
Who is at risk for CVE-2012-6636?
Any applications utilizing WebView in Android API levels prior to 17 are at risk for CVE-2012-6636.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/author
- agent/references
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/google
- canonical/google android api
- version/google android api/16.0
- version/google android api/1.0
- version/google android api/2.0
- version/google android api/3.0
- version/google android api/4.0
- version/google android api/5.0
- version/google android api/6.0
- version/google android api/7.0
- version/google android api/8.0
- version/google android api/9.0
- version/google android api/10.0
- version/google android api/11.0
- version/google android api/12.0
- version/google android api/13.0
- version/google android api/14.0
- version/google android api/15.0