Published: 09/09/2020 Updated: 21/07/2021

CVSS v2 Base Score: 2.9 | Impact Score: 2.9 | Exploitability Score: 5.5

CVSS v3 Base Score: 5.7 | Impact Score: 3.6 | Exploitability Score: 2.1

VMScore: 259

Vector: AV:A/AC:M/Au:N/C:P/I:N/A:N

In the COVIDSafe application up to and including 1.0.21 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows malicious users to trick the application into establishing a connection over Bluetooth BR/EDR transport, which reveals the public Bluetooth address of the victim's phone without authorisation, bypassing the Bluetooth address randomisation protection in the user's phone.

Vulnerable Product	Search on Vulmon	Subscribe to Product
health covidsafe

Details of CVE-2020-14292

CVE-2020-14292: A bluetooth transport issue in COVIDSafe App Author: Alwen Tiu, The Australian National University Last updated: 2020-09-08 Summary In the COVIDSafe application through 1021 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows attackers to trick the application into establishing a connection over Bluetooth BR/EDR transport, w

Bluetooth and contact tracing research COVIDSafe and related applications : A remote crash exploit on COVIDSafe 20 (Android) CVE-2020-14292 Identity address leakage through bluetooth transport CVE-2020-12856 A silent pairing issue affecting the Android version of COVIDSafe app v117 and earlier versions Joint work with Jim Mussared Apple/Google Exposure Notifications F

NVD-CWE-noinfo https://covidsafe.watch/issue-register/https://github.com/AU-COVIDSafe/mobile-android/blob/b827cf3ccef72a3d38c6fc37466a99868823540f/app/src/main/java/au/gov/health/covidsafe/streetpass/Work.kt#L35-L41 https://www.health.gov.au/resources/apps-and-tools/covidsafe-app https://github.com/alwentiu/CVE-2020-14292 https://nvd.nist.gov https://github.com/alwentiu/CVE-2020-14292

CVE-2020-14292

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect