CRITICAL🇵🇱 Wersja polska

CVE-2020-35138

CVSS 9.8v3.1pub. 2021-03-29upd. 2024-11-21

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mobileiron Mobile\@work

    APP
    Mobileiron
    ≤ 2021-03-22
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-35137HIGH7.5ten sam produkt

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate ...

CVE-2021-3391MEDIUM5.3ten sam produkt

MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexiste...

CVE-2014-5903MEDIUM5.4ten sam produkt

The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates fr...

CVE-2020-15505CRITICAL9.8⚠ KEVten sam vendor

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, ...

CVE-2020-15506CRITICAL9.8ten sam vendor

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0,...