CVE-2021-43849: Build software better, together

Summary:

The exported activity de.niklasmerz.cordova.biometric.BiometricActivity can cause the app to crash. This vulnerability occurred because the activity didn’t handle to be requested with invalid or empty data which result to crashing your app. Any third party app can constantly call this activity with no permission. If a malicious app constantly send the malicious intent, the app using this plugin will never work.

Impact

A 3rd party app/attacker using event listener can continually stop the app from working and make the victim unable to open it.

Mitigation

Version 5.0.1 of the cordova-plugin-fingerprint-aio doesn’t export the activity anymore and is no longer vulnerable.

If you want to fix older versions change the attribute android:exported of this code snippet in plugin.xml to false:

<config-file target="AndroidManifest.xml" parent="application"> <activity android:name="de.niklasmerz.cordova.biometric.BiometricActivity" android:theme="@style/TransparentTheme" android:exported="false"/> </config-file>

Patches

Please upgrade to version 5.0.1 as soon as possible.

Please check out the release on GitHub.

For more information

If you have any questions or comments about this advisory please go to the discussion on GitHub