CVE-2015-9232 Information

Description

The Good for Enterprise application 3.0.0.415 for Android does not use signature protection for its Authentication Delegation API intent. Also the Good Dynamic application activation process does not attempt to detect malicious activation attempts involving modified names beginning with a com.good.gdgma substring. Consequently an attacker could obtain access to intranet data. This issue is only relevant in cases where the user has already downloaded a malicious Android application.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Reference

http://www.securityfocus.com/archive/1/536543 https://community.blackberry.com/community/blogs/blog/2015/10/02/what-you-need-to-know-modzero-insecure-application-coupling https://www.modzero.ch/advisories/MZ-15-03-GOOD-Auth-Delegation.txt

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3