6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-43849

GHSA ID

GHSA-7vfx-hfvm-rhr8

EPSS Score

0.23055%

CWE

CWE-617

Published

11/2/2023

Updated

11/2/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-43849

CVE-2021-43849: cordova-plugin-fingerprint-aio DoS vulnerability

Summary:

Sending a specially crafted intent with an invalid/empty extras de.niklasmerz.cordova.biometric.BiometricActivity can cause the app to crash. sending the intent repeatedly can prevent the app using this plugin from working, resulting in a denial of service (DoS) condition.

Impact

A 3rd party app/remote attacker can exploit this vulnerability by sending a malicious intent to the target device, causing the app using this plugin from working to crash or become unresponsive, resulting in a denial of service (DoS) condition.

Mitigation

Version 5.0.1 of the cordova-plugin-fingerprint-aio doesn't export the activity anymore and is no longer vulnerable.

If you want to fix older versions change the attribute android:exported of this code snippet in plugin.xml to false:

<config-file target="AndroidManifest.xml" parent="application">
      <activity android:name="de.niklasmerz.cordova.biometric.BiometricActivity" android:theme="@style/TransparentTheme" android:exported="false"/>
</config-file>

Patches

Please upgrade to version 5.0.1 as soon as possible.

Please check out the release on GitHub.

For more information

If you have any questions or comments about this advisory please go to the discussion on GitHub.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-43849

CVE-2021-43849:

6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-43849

GHSA ID

GHSA-7vfx-hfvm-rhr8

EPSS Score

0.23055%

CWE

CWE-617

Published

11/2/2023

Updated

11/2/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cordova-plugin-fingerprint-aio	npm	< 5.0.1	5.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the exported BiometricActivity being reachable by 3rd party apps. While the exact crash-triggering code isn't shown in provided diffs (which focus on iOS fixes), the manifest configuration and CWE-617 (Reachable Assertion) indicate the activity's entry points process untrusted intents without proper validation. The mitigation explicitly addresses this by disabling exportation, confirming the activity's exposed nature was the vulnerability root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-43849: cordova-plugin-fingerprint-aio DoS vulnerability

Summary:

Impact

Mitigation

Patches

For more information

CVE-2021-43849:

6.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-43849: cordova-plugin-fingerprint-aio DoS vulnerability

Summary:

Impact

Mitigation

Patches

For more information

Basic Information

Basic Information

Technical Details

6.2

6.2

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI