Vulnerabilities > CVE-2018-19981 - Cleartext Storage of Sensitive Information vulnerability in Amazon AWS Software Development KIT

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

amazon

CWE-312

critical

NVD

Published: 2019-04-04

Updated: 2021-05-10

Summary

Amazon AWS SDK <=2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service. An attacker can use these credentials to create authenticated and/or authorized requests. Note that the attacker must have "root" privilege access to the Android filesystem in order to exploit this vulnerability (i.e. the device has been compromised, such as disabling or bypassing Android's fundamental security mechanisms).

Vulnerable Configurations

Part	Description	Count
Application	Amazon Amazon AWS Software Development KIT 2.0.5 Amazon AWS Software Development KIT 2.1.0 Amazon AWS Software Development KIT 2.1.1 Amazon AWS Software Development KIT 2.1.7 Amazon AWS Software Development KIT 2.1.8 Amazon AWS Software Development KIT 2.1.9 Amazon AWS Software Development KIT 2.1.10 Amazon AWS Software Development KIT 2.2.0 Amazon AWS Software Development KIT 2.2.1 Amazon AWS Software Development KIT 2.2.2 Amazon AWS Software Development KIT 2.2.3 Amazon AWS Software Development KIT 2.2.4 Amazon AWS Software Development KIT 2.2.5 Amazon AWS Software Development KIT 2.2.6 Amazon AWS Software Development KIT 2.2.7 Amazon AWS Software Development KIT 2.2.8 Amazon AWS Software Development KIT 2.2.9 Amazon AWS Software Development KIT 2.2.10 Amazon AWS Software Development KIT 2.2.11 Amazon AWS Software Development KIT 2.2.12 Amazon AWS Software Development KIT 2.2.13 Amazon AWS Software Development KIT 2.2.14 Amazon AWS Software Development KIT 2.2.15 Amazon AWS Software Development KIT 2.2.16 Amazon AWS Software Development KIT 2.2.17 Amazon AWS Software Development KIT 2.2.18 Amazon AWS Software Development KIT 2.2.19 Amazon AWS Software Development KIT 2.2.20 Amazon AWS Software Development KIT 2.2.21 Amazon AWS Software Development KIT 2.2.22 Amazon AWS Software Development KIT 2.3.0 Amazon AWS Software Development KIT 2.3.1 Amazon AWS Software Development KIT 2.3.2 Amazon AWS Software Development KIT 2.3.3 Amazon AWS Software Development KIT 2.3.4 Amazon AWS Software Development KIT 2.3.5 Amazon AWS Software Development KIT 2.3.6 Amazon AWS Software Development KIT 2.3.7 Amazon AWS Software Development KIT 2.3.8 Amazon AWS Software Development KIT 2.3.9 Amazon AWS Software Development KIT 2.4.0 Amazon AWS Software Development KIT 2.4.1 Amazon AWS Software Development KIT 2.4.2 Amazon AWS Software Development KIT 2.4.3 Amazon AWS Software Development KIT 2.4.4 Amazon AWS Software Development KIT 2.4.5 Amazon AWS Software Development KIT 2.4.6 Amazon AWS Software Development KIT 2.4.7 Amazon AWS Software Development KIT 2.6.0 Amazon AWS Software Development KIT 2.6.1 Amazon AWS Software Development KIT 2.6.2 Amazon AWS Software Development KIT 2.6.3 Amazon AWS Software Development KIT 2.6.4 Amazon AWS Software Development KIT 2.6.5 Amazon AWS Software Development KIT 2.6.6 Amazon AWS Software Development KIT 2.6.7 Amazon AWS Software Development KIT 2.6.8 Amazon AWS Software Development KIT 2.6.9 Amazon AWS Software Development KIT 2.6.10 Amazon AWS Software Development KIT 2.6.11 Amazon AWS Software Development KIT 2.6.12 Amazon AWS Software Development KIT 2.6.13 Amazon AWS Software Development KIT 2.6.14 Amazon AWS Software Development KIT 2.6.15 Amazon AWS Software Development KIT 2.6.16 Amazon AWS Software Development KIT 2.6.17 Amazon AWS Software Development KIT 2.6.18 Amazon AWS Software Development KIT 2.6.19 Amazon AWS Software Development KIT 2.6.20 Amazon AWS Software Development KIT 2.6.21 Amazon AWS Software Development KIT 2.6.22 Amazon AWS Software Development KIT 2.6.23 Amazon AWS Software Development KIT 2.6.24 Amazon AWS Software Development KIT 2.6.25 Amazon AWS Software Development KIT 2.6.26 Amazon AWS Software Development KIT 2.6.27 Amazon AWS Software Development KIT 2.6.28 Amazon AWS Software Development KIT 2.6.29 Amazon AWS Software Development KIT 2.6.30 Amazon AWS Software Development KIT 2.6.31 Amazon AWS Software Development KIT 2.7.0 Amazon AWS Software Development KIT 2.7.1 Amazon AWS Software Development KIT 2.7.2 Amazon AWS Software Development KIT 2.7.3 Amazon AWS Software Development KIT 2.7.4 Amazon AWS Software Development KIT 2.7.5 Amazon AWS Software Development KIT 2.7.6 Amazon AWS Software Development KIT 2.7.7 Amazon AWS Software Development KIT 2.8.0 Amazon AWS Software Development KIT 2.8.1 Amazon AWS Software Development KIT 2.8.2 Amazon AWS Software Development KIT 2.8.3 Amazon AWS Software Development KIT 2.8.4 Amazon AWS Software Development KIT 2.8.5	94

Common Weakness Enumeration (CWE)

CWE-312 - Cleartext Storage of Sensitive Information

Common Attack Pattern Enumeration and Classification (CAPEC)

Footprinting
An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
Lifting Data Embedded in Client Distributions
An attacker can resort to stealing data embedded in client distributions or client code in order to gain certain information. This information can reveal confidential contents, such as account numbers, or can be used as an intermediate step in a larger attack (such as by stealing keys/credentials).

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References