CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3391
https://notcve.org/view.php?id=CVE-2021-3391
29 Mar 2021 — MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message MobileIron Mobile@Work hasta el 22 de marzo de 2021, permite a atacantes distinguir entre cuentas de usuario válidas, desactivadas e inexistentes al observar el número de intentos fallidos de inicio de sesión necesarios para producir un mensaje de error de bloqueo • https://github.com/optiv/rustyIron •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 3CVE-2020-35138
https://notcve.org/view.php?id=CVE-2020-35138
29 Mar 2021 — The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack ** EN DISPUTA ** Los agentes de MobileIron hasta el 2021-03-22 para Android e iOS con... • https://github.com/optiv/rustyIron • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2020-35137
https://notcve.org/view.php?id=CVE-2020-35137
29 Mar 2021 — The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, th... • https://github.com/optiv/rustyIron • CWE-798: Use of Hard-coded Credentials •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2014-5903
https://notcve.org/view.php?id=CVE-2014-5903
15 Sep 2014 — The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La aplicación Mobile@Work 6.0.0.1.12R (también conocida como com.mobileiron) para Android no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle falsificar servidores y obtener información sensible a través de un certifi... • http://www.kb.cert.org/vuls/id/582497 • CWE-310: Cryptographic Issues •