This CVE is known to exist in OpenTrace and all forks. It has been assigned a severity of 9.2 Critical. It primarily affects Android but should also be addressed on iPhone.
The details are not currently public and are under embargo until June 19, however we have emailed the full details to vulnerability_disclosure@tech.gov.sg and support@tracetogether.gov.sg on May 19 and again on May 27 including details of a suggested fix, but have not heard any reply or acknowledgement.
Please contact us for more information if necessary, but additionally please provide an advisory so that other projects forking OpenTrace do can also be aware of how to address this.
This CVE is known to exist in OpenTrace and all forks. It has been assigned a severity of 9.2 Critical. It primarily affects Android but should also be addressed on iPhone.
See https://github.com/alwentiu/COVIDSafe-CVE-2020-12856 for more information.
The details are not currently public and are under embargo until June 19, however we have emailed the full details to vulnerability_disclosure@tech.gov.sg and support@tracetogether.gov.sg on May 19 and again on May 27 including details of a suggested fix, but have not heard any reply or acknowledgement.
Please contact us for more information if necessary, but additionally please provide an advisory so that other projects forking OpenTrace do can also be aware of how to address this.
cc @alwentiu