Apache Cordova For Android Security Restriction Bypass Vulnerability (CVE-2014-3501)

Apache Cordova For Android Security Restriction Bypass Vulnerability (CVE-2014-3501)

Release date:
Updated on:

Affected Systems:
Apache Group Cordova <3.5.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69041
CVE (CAN) ID: CVE-2014-3501
 
Apache Cordova is a platform for building local mobile applications using HTML, CSS, and JavaScript.
 
Android apps built with Apache Cordova for Android 3.5.0 and other versions use the WebView component to display the content. The Cordova application can specify a URL whitelist that allows display or communication through XMLHttpRequest. However, if JavaScript enables communication through non-HTTP channels, the WebView component cannot use this whitelist. If attackers can execute arbitrary JavaScript code in the application, they can open connections to any server and bypass the HTTP whitelist.
 
<* Source: David Kaplan
Roee Hay

Link: http://cordova.apache.org/announcements/2014/08/04/android-351.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://cordova.apache.org/
Http://cordova.apache.org/announcements/2014/08/04/android-351.html

This article permanently updates the link address: