x/vulndb: potential Go vuln in github.com/optiv/rustyIron: CVE-2020-35137

[tatianab]

CVE-2020-35137 references github.com/optiv/rustyIron, which may be a Go module.

Description: DISPUTED The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-35137
• web: https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US
• web: https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration
• web: https://github.com/optiv/rustyIron
• Imported by: https://pkg.go.dev/github.com/optiv/rustyIron?tab=importedby

Cross references: No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/optiv/rustyIron
      vulnerable_at: 0.0.0-20210322180438-2ac11160456c
      packages:
        - package: n/a
cves:
    - CVE-2020-35137
references:
    - web: https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US
    - web: https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration
    - web: https://github.com/optiv/rustyIron

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports