Articles RCE vulnerability found in CWA app to track COVID-19...

RCE vulnerability found in CWA app to track COVID-19 spread

-

An issue has been identified in the infrastructure that powers the Corona-Warn-App on Android and iOS.

Experts from GitHub Security Labs have discovered a critical vulnerability in the official German Corona-Warn-App (CWA) application for tracing contacts with patients with coronavirus infection (COVID-19). Its exploitation could allow an attacker to remotely execute arbitrary code.

The vulnerable code was in the Submission Service, a microservice built on top of the Spring Boot framework that validates information submitted by CWA users. To do this, the SubmissionController function is used, which checks various aspects of the information provided by the user, for example, the completion of all required fields. The data is validated by the ValidSubmissionPayload validator.

“If any validated properties of the bean are passed into a custom constraint violation template, the attacker-controlled property will evaluate to an Expressional Language, allowing arbitrary Java code to be evaluated,” the researchers explained.

Any POST requests sent to the Submission endpoint are allowed by default and do not require additional authorization or authentication. And the presentation endpoint itself is publicly accessible, allowing remote communication.

A team of experts informed SAP about their findings and worked with it to fix the problem.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you