Vulnerabilities > CVE-2021-43849 - Reachable Assertion vulnerability in Cordova Plugin Fingerprint All-In-One Project Cordova Plugin Fingerprint All-In-One

CVSS 2.1 - LOW

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

local

low complexity

cordova-plugin-fingerprint-all-in-one-project

CWE-617

NVD

Published: 2021-12-23

Updated: 2022-01-11

Summary

cordova-plugin-fingerprint-aio is a plugin provides a single and simple interface for accessing fingerprint APIs on both Android 6+ and iOS. In versions prior to 5.0.1 The exported activity `de.niklasmerz.cordova.biometric.BiometricActivity` can cause the app to crash. This vulnerability occurred because the activity didn't handle the case where it is requested with invalid or empty data which results in a crash. Any third party app can constantly call this activity with no permission. A 3rd party app/attacker using event listener can continually stop the app from working and make the victim unable to open it. Version 5.0.1 of the cordova-plugin-fingerprint-aio doesn't export the activity anymore and is no longer vulnerable. If you want to fix older versions change the attribute android:exported in plugin.xml to false. Please upgrade to version 5.0.1 as soon as possible.

Vulnerable Configurations

Part	Description	Count
Application	Cordova_Plugin_Fingerprint_All-In-One_Project Cordova Plugin Fingerprint ALL IN ONE Project Cordova Plugin Fingerprint ALL IN ONE *	1
OS	Apple Apple Iphone OS -	1
OS	Google Google Android *	1

Common Weakness Enumeration (CWE)

CWE-617 - Reachable Assertion

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References