Total
4 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-35137 | 1 Mobileiron | 1 Mobile\@work | 2023-03-03 | 4.3 MEDIUM | 7.5 HIGH |
** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature. | |||||
CVE-2020-35138 | 1 Mobileiron | 1 Mobile\@work | 2022-04-22 | 5.0 MEDIUM | 9.8 CRITICAL |
** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack. | |||||
CVE-2021-3391 | 1 Mobileiron | 1 Mobile\@work | 2021-04-06 | 5.0 MEDIUM | 5.3 MEDIUM |
MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message | |||||
CVE-2014-5903 | 1 Mobileiron | 1 Mobile\@work | 2014-09-22 | 5.4 MEDIUM | N/A |
The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |