CVE-2020-24721

low-risk
Published 2020-09-30

An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.7/10 Medium
PHYSICAL / LOW complexity

Affected Products (2)

Exposure Notifications
Exposure Notifications

Affected Vendors

Apple Google

References (8)

Third Party Advisory http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Da...
Vendor Advisory https://blog.google/inside-google/company-announcements/update-exposure-notifica...
Third Party Advisory https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/C...
Mailing List https://seclists.org/fulldisclosure/2020/Sep/53
Third Party Advisory http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Da...
Vendor Advisory https://blog.google/inside-google/company-announcements/update-exposure-notifica...
Third Party Advisory https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/C...
Mailing List https://seclists.org/fulldisclosure/2020/Sep/53
26
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 7/34 · Low