Show vulnerabilities with patch / with exploit

Security feature bypass in Microsoft OneDrive for Android



Published: 2020-01-14
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2020-0654
CWE ID CWE-254
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Microsoft OneDrive for Android
Mobile applications / Apps for mobile phones

Vendor Microsoft

Security Advisory

This security advisory describes one low risk vulnerability.

1) Security Features

Severity: Low

CVSSv3: 5.9 [CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-0654

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

This vulnerability allows a local attacker to bypass security rescritions feature.

The vulnerability exists due to the way Microsoft OneDrive App for Android handles sharing links. An attacker with physical access can bypass the passcode or fingerprint requirements of the App.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft OneDrive for Android: -

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0654

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted app.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.