CVE Vulnerabilities

CVE-2020-12624

Incomplete Cleanup

Published: May 03, 2020 | Modified: Jul 21, 2021
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

The League application before 2020-05-02 on Android sends a bearer token in an HTTP Authorization header to an arbitrary web site that hosts an external image because an OkHttp object is reused, which allows remote attackers to hijack sessions.

Weakness

The product does not properly “clean up” and remove temporary or supporting resources after they have been used.

Affected Software

Name Vendor Start Version End Version
The_league Theleague * 2020-05-02 (excluding)

Potential Mitigations

References