Home > Vulnerability Database > CVE-2020-15509

Mend.io Vulnerability Database

CVE-2020-15509

Date: July 7, 2020

Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted. The problem is in bond creation (e.g., internalCreateBond in BleManagerHandler).

Language: Java

Severity Score

6.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-15509

Url: https://github.com/NordicSemiconductor/Android-DFU-Library/commits/release

Url: https://github.com/NordicSemiconductor/Android-BLE-Library/commits/master

Url: https://secretdiary.ninja/index.php/2020/07/03/norec-attack-stripping-ble-encryption-from-nordicsemis-android-library-cve-2020-15509/

Url: https://www.mend.io/vulnerability-database/CVE-2020-15509

Severity Score

6.5

Weakness Type (CWE)

Cleartext Transmission of Sensitive Information

CWE-319

Missing Encryption of Sensitive Data

CWE-311

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	3.3
Access Vector (AV):	ADJACENT
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-15509

Date: July 7, 2020

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?