// For flags

CVE-2021-43849

DoS vulnerability

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

cordova-plugin-fingerprint-aio is a plugin provides a single and simple interface for accessing fingerprint APIs on both Android 6+ and iOS. In versions prior to 5.0.1 The exported activity `de.niklasmerz.cordova.biometric.BiometricActivity` can cause the app to crash. This vulnerability occurred because the activity didn't handle the case where it is requested with invalid or empty data which results in a crash. Any third party app can constantly call this activity with no permission. A 3rd party app/attacker using event listener can continually stop the app from working and make the victim unable to open it. Version 5.0.1 of the cordova-plugin-fingerprint-aio doesn't export the activity anymore and is no longer vulnerable. If you want to fix older versions change the attribute android:exported in plugin.xml to false. Please upgrade to version 5.0.1 as soon as possible.

cordova-plugin-fingerprint-aio es un plugin que proporciona una interfaz única y sencilla para acceder a las API de huellas dactilares tanto en Android 6+ como en iOS. En versiones anteriores a 5.0.1 la actividad exportada "de.niklasmerz.cordova.biometric.BiometricActivity" puede causar un bloqueo de la aplicación. Esta vulnerabilidad es producida porque la actividad no maneja el caso de que es solicitado con datos no válidos o vacíos, lo que resulta en un bloqueo. Cualquier aplicación de terceros puede llamar constantemente a esta actividad sin permiso. Una aplicación de terceros/atacante usando un escuchador de eventos puede detener continuamente el funcionamiento de la aplicación y hacer que la víctima no pueda abrirla. La versión 5.0.1 del cordova-plugin-fingerprint-aio ya no exporta la actividad y ya no es vulnerable. Si quieres arreglar versiones anteriores cambia el atributo android:exported en el plugin.xml a false. Actualiza a versión 5.0.1 lo antes posible

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-16 CVE Reserved
  • 2021-12-23 CVE Published
  • 2023-07-16 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-617: Reachable Assertion
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cordova Plugin Fingerprint All-in-one Project
Search vendor "Cordova Plugin Fingerprint All-in-one Project"
 Cordova Plugin Fingerprint All-in-one
Search vendor "Cordova Plugin Fingerprint All-in-one Project" for product "Cordova Plugin Fingerprint All-in-one"
 < 5.0.1
Search vendor "Cordova Plugin Fingerprint All-in-one Project" for product "Cordova Plugin Fingerprint All-in-one" and version " < 5.0.1"
node.js
Affected
in Apple
Search vendor "Apple"
 Iphone Os
Search vendor "Apple" for product "Iphone Os"
--
Safe
Cordova Plugin Fingerprint All-in-one Project
Search vendor "Cordova Plugin Fingerprint All-in-one Project"
 Cordova Plugin Fingerprint All-in-one
Search vendor "Cordova Plugin Fingerprint All-in-one Project" for product "Cordova Plugin Fingerprint All-in-one"
 < 5.0.1
Search vendor "Cordova Plugin Fingerprint All-in-one Project" for product "Cordova Plugin Fingerprint All-in-one" and version " < 5.0.1"
node.js
Affected
in Google
Search vendor "Google"
 Android
Search vendor "Google" for product "Android"
 >= 6.0
Search vendor "Google" for product "Android" and version " >= 6.0"
-
Safe