Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for mobile\@work by mobileiron

    CVE-2021-3391 (GCVE-0-2021-3391)

    Vulnerability from nvd – Published: 2021-03-29 19:37 – Updated: 2024-08-03 16:53
    VLAI
    Summary
    MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:53:17.425Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/optiv/rustyIron"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-29T19:37:09.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/optiv/rustyIron"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-3391",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available",
                  "refsource": "MISC",
                  "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"
                },
                {
                  "name": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration",
                  "refsource": "MISC",
                  "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
                },
                {
                  "name": "https://github.com/optiv/rustyIron",
                  "refsource": "MISC",
                  "url": "https://github.com/optiv/rustyIron"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-3391",
        "datePublished": "2021-03-29T19:37:09.000Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-08-03T16:53:17.425Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-35138 (GCVE-0-2020-35138)

    Vulnerability from nvd – Published: 2021-03-29 19:36 – Updated: 2024-08-04 16:55 Disputed
    VLAI
    Summary
    The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:55:10.836Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/optiv/rustyIron"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-04T18:57:36.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/optiv/rustyIron"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
            }
          ],
          "tags": [
            "disputed"
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-35138",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US",
                  "refsource": "MISC",
                  "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
                },
                {
                  "name": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration",
                  "refsource": "MISC",
                  "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
                },
                {
                  "name": "https://github.com/optiv/rustyIron",
                  "refsource": "MISC",
                  "url": "https://github.com/optiv/rustyIron"
                },
                {
                  "name": "https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research",
                  "refsource": "MISC",
                  "url": "https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research"
                },
                {
                  "name": "https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration",
                  "refsource": "MISC",
                  "url": "https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-35138",
        "datePublished": "2021-03-29T19:36:38.000Z",
        "dateReserved": "2020-12-11T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:55:10.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-35137 (GCVE-0-2020-35137)

    Vulnerability from nvd – Published: 2021-03-29 00:00 – Updated: 2024-08-04 16:55 Disputed
    VLAI
    Summary
    The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:55:10.987Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/optiv/rustyIron"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-01T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
            },
            {
              "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
            },
            {
              "url": "https://github.com/optiv/rustyIron"
            }
          ],
          "tags": [
            "disputed"
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-35137",
        "datePublished": "2021-03-29T00:00:00.000Z",
        "dateReserved": "2020-12-11T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:55:10.987Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-5903 (GCVE-0-2014-5903)

    Vulnerability from nvd – Published: 2014-09-15 14:00 – Updated: 2024-08-06 12:03
    VLAI
    Summary
    The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://www.kb.cert.org/vuls/id/823529 third-party-advisoryx_refsource_CERT-VN
    http://www.kb.cert.org/vuls/id/582497 third-party-advisoryx_refsource_CERT-VN
    https://docs.google.com/spreadsheets/d/1t5GXwjw82… x_refsource_MISC
    Date Public
    2014-09-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T12:03:01.713Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#823529",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "http://www.kb.cert.org/vuls/id/823529"
              },
              {
                "name": "VU#582497",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "http://www.kb.cert.org/vuls/id/582497"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-09-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2014-09-15T13:57:00.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#823529",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "http://www.kb.cert.org/vuls/id/823529"
            },
            {
              "name": "VU#582497",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "http://www.kb.cert.org/vuls/id/582497"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2014-5903",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#823529",
                  "refsource": "CERT-VN",
                  "url": "http://www.kb.cert.org/vuls/id/823529"
                },
                {
                  "name": "VU#582497",
                  "refsource": "CERT-VN",
                  "url": "http://www.kb.cert.org/vuls/id/582497"
                },
                {
                  "name": "https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing",
                  "refsource": "MISC",
                  "url": "https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2014-5903",
        "datePublished": "2014-09-15T14:00:00.000Z",
        "dateReserved": "2014-08-30T00:00:00.000Z",
        "dateUpdated": "2024-08-06T12:03:01.713Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3391 (GCVE-0-2021-3391)

    Vulnerability from cvelistv5 – Published: 2021-03-29 19:37 – Updated: 2024-08-03 16:53
    VLAI
    Summary
    MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:53:17.425Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/optiv/rustyIron"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-29T19:37:09.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/optiv/rustyIron"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-3391",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available",
                  "refsource": "MISC",
                  "url": "https://www.mobileiron.com/en/blog/mobileiron-security-updates-available"
                },
                {
                  "name": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration",
                  "refsource": "MISC",
                  "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
                },
                {
                  "name": "https://github.com/optiv/rustyIron",
                  "refsource": "MISC",
                  "url": "https://github.com/optiv/rustyIron"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-3391",
        "datePublished": "2021-03-29T19:37:09.000Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-08-03T16:53:17.425Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-35138 (GCVE-0-2020-35138)

    Vulnerability from cvelistv5 – Published: 2021-03-29 19:36 – Updated: 2024-08-04 16:55 Disputed
    VLAI
    Summary
    The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:55:10.836Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/optiv/rustyIron"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-04T18:57:36.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/optiv/rustyIron"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
            }
          ],
          "tags": [
            "disputed"
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-35138",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US",
                  "refsource": "MISC",
                  "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
                },
                {
                  "name": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration",
                  "refsource": "MISC",
                  "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
                },
                {
                  "name": "https://github.com/optiv/rustyIron",
                  "refsource": "MISC",
                  "url": "https://github.com/optiv/rustyIron"
                },
                {
                  "name": "https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research",
                  "refsource": "MISC",
                  "url": "https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research"
                },
                {
                  "name": "https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration",
                  "refsource": "MISC",
                  "url": "https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-35138",
        "datePublished": "2021-03-29T19:36:38.000Z",
        "dateReserved": "2020-12-11T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:55:10.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-35137 (GCVE-0-2020-35137)

    Vulnerability from cvelistv5 – Published: 2021-03-29 00:00 – Updated: 2024-08-04 16:55 Disputed
    VLAI
    Summary
    The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:55:10.987Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/optiv/rustyIron"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-01T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://play.google.com/store/apps/details?id=com.mobileiron\u0026hl=en_US\u0026gl=US"
            },
            {
              "url": "https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration"
            },
            {
              "url": "https://github.com/optiv/rustyIron"
            }
          ],
          "tags": [
            "disputed"
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-35137",
        "datePublished": "2021-03-29T00:00:00.000Z",
        "dateReserved": "2020-12-11T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:55:10.987Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-5903 (GCVE-0-2014-5903)

    Vulnerability from cvelistv5 – Published: 2014-09-15 14:00 – Updated: 2024-08-06 12:03
    VLAI
    Summary
    The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://www.kb.cert.org/vuls/id/823529 third-party-advisoryx_refsource_CERT-VN
    http://www.kb.cert.org/vuls/id/582497 third-party-advisoryx_refsource_CERT-VN
    https://docs.google.com/spreadsheets/d/1t5GXwjw82… x_refsource_MISC
    Date Public
    2014-09-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T12:03:01.713Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "VU#823529",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "http://www.kb.cert.org/vuls/id/823529"
              },
              {
                "name": "VU#582497",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "http://www.kb.cert.org/vuls/id/582497"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-09-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2014-09-15T13:57:00.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "VU#823529",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "http://www.kb.cert.org/vuls/id/823529"
            },
            {
              "name": "VU#582497",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "http://www.kb.cert.org/vuls/id/582497"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "ID": "CVE-2014-5903",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "VU#823529",
                  "refsource": "CERT-VN",
                  "url": "http://www.kb.cert.org/vuls/id/823529"
                },
                {
                  "name": "VU#582497",
                  "refsource": "CERT-VN",
                  "url": "http://www.kb.cert.org/vuls/id/582497"
                },
                {
                  "name": "https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing",
                  "refsource": "MISC",
                  "url": "https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2014-5903",
        "datePublished": "2014-09-15T14:00:00.000Z",
        "dateReserved": "2014-08-30T00:00:00.000Z",
        "dateUpdated": "2024-08-06T12:03:01.713Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }