CVE-2020-35137

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:android:*:*
cpe:2.3:a:mobileiron:mobile\@work:*:*:*:*:*:iphone_os:*:*

History

21 Nov 2024, 05:26

Type Values Removed Values Added
References () https://github.com/optiv/rustyIron - Exploit, Third Party Advisory () https://github.com/optiv/rustyIron - Exploit, Third Party Advisory
References () https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US - Product () https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US - Product
References () https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration - Exploit, Third Party Advisory () https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration - Exploit, Third Party Advisory

07 Nov 2023, 03:21

Type Values Removed Values Added
Summary ** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature. The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.

Information

Published : 2021-03-29 20:15

Updated : 2024-11-21 05:26


NVD link : CVE-2020-35137

Mitre link : CVE-2020-35137

CVE.ORG link : CVE-2020-35137


JSON object : View

Products Affected

mobileiron

  • mobile\@work
CWE
CWE-798

Use of Hard-coded Credentials