Your submission was sent successfully! Close

CVE-2014-1423

Published: 07 May 2020

signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information.

Priority

Low

CVSS 3 base score: 5.5

Status

Package Release Status
signon
Launchpad, Ubuntu, Debian
Upstream
Released (8.58)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (8.57+15.04.20141127.1-0ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (8.57+15.04.20141127.1-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/644
Upstream: http://bazaar.launchpad.net/~online-accounts/signon/upstream/revision/645
Upstream: https://gitlab.com/accounts-sso/signond/-/commit/631eff5146bbd16717c8aeab7460434977d1b0a2
Upstream: https://gitlab.com/accounts-sso/signond/-/commit/03dd20ef043bd5c1035387998c59312ccc704a59

Notes

AuthorNote
mdeslaur
This is fixed in vivid. Setting to low priority for trusty and
utopic since it is specific to click apps.

References

Bugs