Details of VAR-201401-0352

ID

VAR-201401-0352

CVE

CVE-2014-0647

TITLE

iOS for Starbucks Vulnerability that information such as user name is acquired in the application

Trust: 0.8

sources: JVNDB: JVNDB-2014-001269

DESCRIPTION

The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog. Starbucks is prone to an information-disclosure vulnerability. Successfully exploiting this issue may allow attackers to obtain sensitive information from the application, that may aid in further attacks. Starbucks 2.6.1 is vulnerable; other versions may also be affected. Starbucks is a set of mobile applications for the IOS platform of Starbucks in the United States. The application supports GPS automatic positioning, querying product introductions, understanding event information, etc

Trust: 1.98

sources: NVD: CVE-2014-0647 // JVNDB: JVNDB-2014-001269 // BID: 64942 // VULHUB: VHN-68140

AFFECTED PRODUCTS

vendor:	starbucks	model:	starbucks	scope:	eq	version:	2.6.1	Trust: 1.6
vendor:	starbucks coffee	model:	starbucks	scope:	eq	version:	2.6.1	Trust: 0.8

sources: JVNDB: JVNDB-2014-001269 // CNNVD: CNNVD-201401-560 // NVD: CVE-2014-0647

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0647
value:	LOW
Trust: 1.0
NVD:	CVE-2014-0647
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-201401-560
value:	LOW
Trust: 0.6
VULHUB:	VHN-68140
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2014-0647
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-68140
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-68140 // JVNDB: JVNDB-2014-001269 // CNNVD: CNNVD-201401-560 // NVD: CVE-2014-0647

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.9

sources: VULHUB: VHN-68140 // JVNDB: JVNDB-2014-001269 // NVD: CVE-2014-0647

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201401-560

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201401-560

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001269

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-68140

PATCH

title:	Starbucks	url:	https://itunes.apple.com/us/app/starbucks/id331177714?mt=8	Trust: 0.8
title:	Mobile Apps	url:	http://www.starbucks.com/coffeehouse/mobile-apps	Trust: 0.8

sources: JVNDB: JVNDB-2014-001269

EXTERNAL IDS

db:	NVD	id:	CVE-2014-0647	Trust: 2.8
db:	BID	id:	64942	Trust: 2.0
db:	OSVDB	id:	102514	Trust: 1.7
db:	XF	id:	90412	Trust: 1.4
db:	JVNDB	id:	JVNDB-2014-001269	Trust: 0.8
db:	CNNVD	id:	CNNVD-201401-560	Trust: 0.7
db:	BUGTRAQ	id:	20140114 [CVE-2014-0647] INSECURE DATA STORAGE OF USER DATA ELEMENTS IN STARBUCKS V2.6.1 IOS MOBILE APPLICATION	Trust: 0.6
db:	XF	id:	20140647	Trust: 0.6
db:	FULLDISC	id:	20140113 [CVE-2014-0647] INSECURE DATA STORAGE OF USER DATA ELEMENTS IN STARBUCKS V2.6.1 IOS MOBILE APPLICATION	Trust: 0.6
db:	FULLDISC	id:	20140117 RE: [CVE-2014-0647] INSECURE DATA STORAGE OF USER DATA ELEMENTS IN STARBUCKS V2.6.1 IOS MOBILE APPLICATION	Trust: 0.6
db:	PACKETSTORM	id:	124768	Trust: 0.1
db:	VULHUB	id:	VHN-68140	Trust: 0.1

sources: VULHUB: VHN-68140 // BID: 64942 // JVNDB: JVNDB-2014-001269 // CNNVD: CNNVD-201401-560 // NVD: CVE-2014-0647

REFERENCES

url:	http://seclists.org/fulldisclosure/2014/jan/123	Trust: 2.5
url:	http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/	Trust: 2.5
url:	http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/	Trust: 2.5
url:	http://www.securityfocus.com/bid/64942	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2014/jan/64	Trust: 1.7
url:	https://itunes.apple.com/us/app/starbucks/id331177714?mt=8	Trust: 1.7
url:	http://www.osvdb.org/102514	Trust: 1.7
url:	http://xforce.iss.net/xforce/xfdb/90412	Trust: 1.4
url:	http://www.securityfocus.com/archive/1/530756/100/0/threaded	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/90412	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0647	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0647	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/530756/100/0/threaded	Trust: 0.6

sources: VULHUB: VHN-68140 // JVNDB: JVNDB-2014-001269 // CNNVD: CNNVD-201401-560 // NVD: CVE-2014-0647

CREDITS

Daniel E. Wood

Trust: 0.3

sources: BID: 64942

SOURCES

db:	VULHUB	id:	VHN-68140
db:	BID	id:	64942
db:	JVNDB	id:	JVNDB-2014-001269
db:	CNNVD	id:	CNNVD-201401-560
db:	NVD	id:	CVE-2014-0647

LAST UPDATE DATE

2025-04-11T23:18:48.869000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-68140	date:	2018-10-09T00:00:00
db:	BID	id:	64942	date:	2014-01-22T01:02:00
db:	JVNDB	id:	JVNDB-2014-001269	date:	2014-01-29T00:00:00
db:	CNNVD	id:	CNNVD-201401-560	date:	2014-01-29T00:00:00
db:	NVD	id:	CVE-2014-0647	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-68140	date:	2014-01-28T00:00:00
db:	BID	id:	64942	date:	2014-01-13T00:00:00
db:	JVNDB	id:	JVNDB-2014-001269	date:	2014-01-29T00:00:00
db:	CNNVD	id:	CNNVD-201401-560	date:	2014-01-29T00:00:00
db:	NVD	id:	CVE-2014-0647	date:	2014-01-28T00:55:03.957