First published: Thu Dec 23 2021(Updated: )
## Summary: Sending a specially crafted intent with an invalid/empty extras `de.niklasmerz.cordova.biometric.BiometricActivity` can cause the app to crash. sending the intent repeatedly can prevent the app using this plugin from working, resulting in a denial of service (DoS) condition. ## Impact A 3rd party app/remote attacker can exploit this vulnerability by sending a malicious intent to the target device, causing the app using this plugin from working to crash or become unresponsive, resulting in a denial of service (DoS) condition. ## Mitigation Version 5.0.1 of the cordova-plugin-fingerprint-aio doesn't export the activity anymore and is no longer vulnerable. If you want to fix older versions change the attribute `android:exported` of this code snippet in plugin.xml to `false`: ```xml <config-file target="AndroidManifest.xml" parent="application"> <activity android:name="de.niklasmerz.cordova.biometric.BiometricActivity" android:theme="@style/TransparentTheme" android:exported="false"/> </config-file> ``` ## Patches Please upgrade to version 5.0.1 as soon as possible. Please check out the release on [GitHub](https://github.com/NiklasMerz/cordova-plugin-fingerprint-aio/releases/tag/v5.0.1). ## For more information If you have any questions or comments about this advisory please go to the discussion on [GitHub](https://github.com/NiklasMerz/cordova-plugin-fingerprint-aio/discussions/394).
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/cordova-plugin-fingerprint-aio | <5.0.1 | 5.0.1 |
Cordova Plugin Fingerprint All-in-one Project Cordova Plugin Fingerprint All-in-one | <5.0.1 | |
Apple iPhone OS | ||
Google Android | >=6.0 | |
All of | ||
Cordova Plugin Fingerprint All-in-one Project Cordova Plugin Fingerprint All-in-one | <5.0.1 | |
Any of | ||
Apple iPhone OS | ||
Google Android | >=6.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.