Sign-up

ID

VAR-201904-0563


CVE

CVE-2018-14989


TITLE

Plum Mobile Compass Input Validation Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-15932 // CNNVD: CNNVD-201904-1174

DESCRIPTION

The Plum Compass Android device with a build fingerprint of PLUM/c179_hwf_221/c179_hwf_221:6.0/MRA58K/W16.51.5-22:user/release-keys contains a pre-installed platform app with a package name of com.android.settings (versionCode=23, versionName=6.0-eng.root.20161223.224055) that contains an exported broadcast receiver app component which allows any app co-located on the device to programmatically perform a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. Plum Compass Android The device contains an input validation vulnerability.Information may be altered. PlumMobileCompass is an Android-based smartphone from PlumMobile, USA. The com.android.settings package (versionCode=23,versionName=6.0-eng.root.20161223.224055) in PlumMobileCompass (buildfingerprint is PLUM/c179_hwf_221/c179_hwf_221:6.0/MRA58K/W16.51.5-22:user/release-keys) exists. Security breach. An attacker could exploit this vulnerability to restore factory settings without permission, resulting in data loss. Plum Mobile Compass is an Android-based smart phone produced by Plum Mobile in the United States

Trust: 2.25

sources: NVD: CVE-2018-14989 // JVNDB: JVNDB-2018-015360 // CNVD: CNVD-2019-15932 // VULHUB: VHN-125203

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-15932

AFFECTED PRODUCTS

vendor:plum mobilemodel:compassscope:eqversion: -

Trust: 1.0

vendor:plum mobilemodel:compassscope: - version: -

Trust: 0.8

vendor:plummodel:mobile plum mobile compassscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2019-15932 // JVNDB: JVNDB-2018-015360 // NVD: CVE-2018-14989

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-14989
value: HIGH

Trust: 1.0

NVD: CVE-2018-14989
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-15932
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201904-1174
value: HIGH

Trust: 0.6

VULHUB: VHN-125203
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-14989
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-15932
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-125203
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-14989
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-15932 // VULHUB: VHN-125203 // JVNDB: JVNDB-2018-015360 // CNNVD: CNNVD-201904-1174 // NVD: CVE-2018-14989

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-125203 // JVNDB: JVNDB-2018-015360 // NVD: CVE-2018-14989

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201904-1174

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015360

PATCH
title:Compassurl:https://www.plum-mobile.com/compass/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-015360

EXTERNAL IDS
db:NVDid:CVE-2018-14989
Trust: 3.1
db:JVNDBid:JVNDB-2018-015360
Trust: 0.8
db:CNNVDid:CNNVD-201904-1174
Trust: 0.7
db:CNVDid:CNVD-2019-15932
Trust: 0.6
db:VULHUBid:VHN-125203
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-15932 // 
            
            
            
            VULHUB: VHN-125203 // 
            
            
            
            JVNDB: JVNDB-2018-015360 // 
            
            
            
            CNNVD: CNNVD-201904-1174 // 
            
            
            
            NVD: CVE-2018-14989

REFERENCES
url:https://www.kryptowire.com/portal/wp-content/uploads/2018/12/defcon-26-johnson-and-stavrou-vulnerable-out-of-the-box-an-eval-of-android-carrier-devices-wp-updated.pdf
Trust: 3.1
url:https://www.kryptowire.com/portal/android-firmware-defcon-2018/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-14989
Trust: 1.4
url:https://www.kryptowire.com
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14989
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-15932 // 
            
            
            
            VULHUB: VHN-125203 // 
            
            
            
            JVNDB: JVNDB-2018-015360 // 
            
            
            
            CNNVD: CNNVD-201904-1174 // 
            
            
            
            NVD: CVE-2018-14989

SOURCES
db:CNVDid:CNVD-2019-15932
db:VULHUBid:VHN-125203
db:JVNDBid:JVNDB-2018-015360
db:CNNVDid:CNNVD-201904-1174
db:NVDid:CVE-2018-14989

LAST UPDATE DATE
2024-11-23T21:52:20.839000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-15932date:2019-06-19T00:00:00
db:VULHUBid:VHN-125203date:2019-05-02T00:00:00
db:JVNDBid:JVNDB-2018-015360date:2019-05-29T00:00:00
db:CNNVDid:CNNVD-201904-1174date:2019-04-26T00:00:00
db:NVDid:CVE-2018-14989date:2024-11-21T03:50:15.920

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-15932date:2019-05-30T00:00:00
db:VULHUBid:VHN-125203date:2019-04-25T00:00:00
db:JVNDBid:JVNDB-2018-015360date:2019-05-29T00:00:00
db:CNNVDid:CNNVD-201904-1174date:2019-04-25T00:00:00
db:NVDid:CVE-2018-14989date:2019-04-25T20:29:00.537