Sign-up

ID

VAR-201403-0224


CVE

CVE-2014-1939


TITLE

Android of java/android/webkit/BrowserFrame.java In any Java Code execution vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001554

DESCRIPTION

java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels. Google Android Jelly Bean is prone to an unspecified security vulnerability. Little is known about this issue or its effects at this time. We will update this BID as more information emerges. Google Chrome is a web browser developed by Google (Google). Android is a Linux-based open source operating system jointly developed by Google and the Open Handheld Alliance (OHA). The vulnerability stems from the fact that the program uses the addJavascriptInterface API and creates an object of the SearchBoxImpl class

Trust: 2.07

sources: NVD: CVE-2014-1939 // JVNDB: JVNDB-2014-001554 // BID: 65473 // VULHUB: VHN-69878 // VULMON: CVE-2014-1939

AFFECTED PRODUCTS

vendor:googlemodel:androidscope:eqversion:4.0

Trust: 1.6

vendor:googlemodel:androidscope:eqversion:4.2.2

Trust: 1.3

vendor:googlemodel:androidscope:eqversion:4.3

Trust: 1.3

vendor:googlemodel:androidscope:eqversion:4.2

Trust: 1.3

vendor:googlemodel:androidscope:eqversion:4.1

Trust: 1.3

vendor:googlemodel:androidscope:eqversion:4.0.1

Trust: 1.0

vendor:googlemodel:androidscope:lteversion:4.3.1

Trust: 1.0

vendor:googlemodel:androidscope:eqversion:4.0.4

Trust: 1.0

vendor:googlemodel:androidscope:eqversion:4.1.2

Trust: 1.0

vendor:googlemodel:androidscope:eqversion:4.0.2

Trust: 1.0

vendor:lenovomodel:shareitscope:lteversion:3.5.88_ww

Trust: 1.0

vendor:googlemodel:androidscope:eqversion:4.0.3

Trust: 1.0

vendor:googlemodel:androidscope:eqversion:4.2.1

Trust: 1.0

vendor:googlemodel:androidscope:ltversion:4.4

Trust: 0.8

vendor:googlemodel:androidscope:eqversion:4.3.1

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:4.1.1

Trust: 0.3

sources: BID: 65473 // JVNDB: JVNDB-2014-001554 // CNNVD: CNNVD-201403-037 // NVD: CVE-2014-1939

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-1939
value: HIGH

Trust: 1.0

NVD: CVE-2014-1939
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201403-037
value: HIGH

Trust: 0.6

VULHUB: VHN-69878
value: HIGH

Trust: 0.1

VULMON: CVE-2014-1939
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-1939
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-69878
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-69878 // VULMON: CVE-2014-1939 // JVNDB: JVNDB-2014-001554 // CNNVD: CNNVD-201403-037 // NVD: CVE-2014-1939

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.9

sources: VULHUB: VHN-69878 // JVNDB: JVNDB-2014-001554 // NVD: CVE-2014-1939

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-037

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201403-037

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001554

PATCH
title:Introducing Chromium-powered Android WebViewurl:http://blog.chromium.org/2013/11/introducing-chromium-powered-android.html
Trust: 0.8
title:WebViewCompaturl:https://github.com/BCsl/WebViewCompat 
Trust: 0.1
title:Securelisturl:https://securelist.com/results-of-poc-publishing/74724/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2014-1939 // 
            
            
            
            JVNDB: JVNDB-2014-001554

EXTERNAL IDS
db:NVDid:CVE-2014-1939
Trust: 2.9
db:OPENWALLid:OSS-SECURITY/2014/02/11/2
Trust: 2.6
db:JVNDBid:JVNDB-2014-001554
Trust: 0.8
db:CNNVDid:CNNVD-201403-037
Trust: 0.7
db:MLISTid:[OSS-SECURITY] 20140210 CVE-2014-1939 SEARCHBOXJAVABRIDGE_ IN ANDROID JELLY BEAN
Trust: 0.6
db:BIDid:65473
Trust: 0.5
db:VULHUBid:VHN-69878
Trust: 0.1
db:VULMONid:CVE-2014-1939
Trust: 0.1
sources:
            
            
            VULHUB: VHN-69878 // 
            
            
            
            VULMON: CVE-2014-1939 // 
            
            
            
            BID: 65473 // 
            
            
            
            JVNDB: JVNDB-2014-001554 // 
            
            
            
            CNNVD: CNNVD-201403-037 // 
            
            
            
            NVD: CVE-2014-1939

REFERENCES
url:http://openwall.com/lists/oss-security/2014/02/11/2
Trust: 2.6
url:http://blog.chromium.org/2013/11/introducing-chromium-powered-android.html
Trust: 1.8
url:https://support.lenovo.com/us/en/product_security/len_6421
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1939
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1939
Trust: 0.8
url:http://code.google.com/android/
Trust: 0.3
url:http://seclists.org/oss-sec/2014/q1/311
Trust: 0.3
url:http://seclists.org/oss-sec/2014/q1/313
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/94.html
Trust: 0.1
url:https://www.securityfocus.com/bid/65473
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/bcsl/webviewcompat
Trust: 0.1
sources:
            
            
            VULHUB: VHN-69878 // 
            
            
            
            VULMON: CVE-2014-1939 // 
            
            
            
            BID: 65473 // 
            
            
            
            JVNDB: JVNDB-2014-001554 // 
            
            
            
            CNNVD: CNNVD-201403-037 // 
            
            
            
            NVD: CVE-2014-1939

CREDITS
Joshua J. Drak
Trust: 0.3
sources:
            
            
            BID: 65473

SOURCES
db:VULHUBid:VHN-69878
db:VULMONid:CVE-2014-1939
db:BIDid:65473
db:JVNDBid:JVNDB-2014-001554
db:CNNVDid:CNNVD-201403-037
db:NVDid:CVE-2014-1939

LAST UPDATE DATE
2025-04-13T23:18:55.176000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-69878date:2016-05-26T00:00:00
db:VULMONid:CVE-2014-1939date:2016-05-26T00:00:00
db:BIDid:65473date:2014-02-10T00:00:00
db:JVNDBid:JVNDB-2014-001554date:2014-03-05T00:00:00
db:CNNVDid:CNNVD-201403-037date:2015-08-04T00:00:00
db:NVDid:CVE-2014-1939date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-69878date:2014-03-03T00:00:00
db:VULMONid:CVE-2014-1939date:2014-03-03T00:00:00
db:BIDid:65473date:2014-02-10T00:00:00
db:JVNDBid:JVNDB-2014-001554date:2014-03-05T00:00:00
db:CNNVDid:CNNVD-201403-037date:2014-03-03T00:00:00
db:NVDid:CVE-2014-1939date:2014-03-03T04:50:46.453