We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications.
CVE-2020-11990: Apache Cordova Plugin camera vulnerable to information disclosure
Type of Vulnerability:
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity: Low
Vendor: The Apache Software Foundation
Possible attackers condition:
An attacker who can install (or lead the victim to install) the specially crafted (or malicious) Android application. Android documentation describes the external cache location as application specific, however, “There is no security enforced with these files. For example, any application holding Manifest.permission.WRITE_EXTERNAL_STORAGE can write to these files.” ( and thereby read )
Possible victims:
Android users that take pictures with an Apache Cordova based application and attached removable storage.
Possible Impacts:
Versions Affected:
Cordova Android applications using the Camera plugin
( cordova-plugin-camera version 4.1.0 and below )
Upgrade path:
Developers who are concerned about this issue should install version 5.0.0 or higher of cordova-plugin-camera
Mitigation Steps:
Upgrade plugin and rebuild application, update deployments.
Credit: JPCERT/CC Vulnerability Coordination Group. (JVN#59779918)