We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications.
CVE-2020-11990: Apache Cordova Plugin camera vulnerable to information disclosure Type of Vulnerability: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Severity: Low Vendor: The Apache Software Foundation Possible attackers condition: An attacker who can install (or lead the victim to install) the specially crafted (or malicious) Android application. Android documentation describes the external cache location as application specific, however, "There is no security enforced with these files. For example, any application holding Manifest.permission.WRITEEXTERNALSTORAGE can write to these files." ( and thereby read ) Possible victims: Android users that take pictures with an Apache Cordova based application and attached removable storage. Possible Impacts: Confidentiality is breached. The image file (photo) taken by the Android apps that was developed using the Apache Cordova camera plugin will be disclosed. Versions Affected: Cordova Android applications using the Camera plugin ( cordova-plugin-camera version 4.1.0 and below ) Upgrade path: Developers who are concerned about this issue should install version 5.0.0 or higher of cordova-plugin-camera Mitigation Steps: Upgrade plugin and rebuild application, update deployments. Credit: JPCERT/CC Vulnerability Coordination Group. (JVN#59779918)
