First published: Mon Mar 29 2021(Updated: )
** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mobileiron Mobile\@work | <=2021-03-22 | |
<=2021-03-22 | ||
Mobileiron Mobile\@work | <=2021-03-22 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2020-35138.
CVE-2020-35138 has a severity level of critical.
The affected software for CVE-2020-35138 is MobileIron Mobile@work for Android and iOS versions up to 2021-03-22.
CVE-2020-35138 has a CWE ID of 798.
There are no known fixes or mitigations available for CVE-2020-35138 at the moment. It is recommended to follow the vendor's advisories for any updates or patches.