Summary
| Impact of Vulnerability | BlueStacks’ IPC mechanism exposes security vulnerabilities that are exploitable via malicious web pages |
| CVE Numbers | CVE-2019-12936 |
| Severity Rating | High |
| CVSS v3 Base / Temporal Scores: | Base: 7.1 |
| Recommendations | Install or update to latest BlueStacks App Player |
| Affected Versions | Windows: Version 4.80 and below |
| Fixed Version | Windows: Version 4.90 |
| Location of Updated Software | http://www.bluestacks.com/download.html |
Description
An attacker can use DNS Rebinding to gain access to the BlueStacks App Player IPC mechanism via a malicious web page. From there, various exposed IPC functions can be abused.
Remediation
Windows
Download the product from http://www.bluestacks.com/download.html.
Install the updated Bluestacks App Player using the usual update path.
Workaround
- Download the latest version of BlueStacks from website
Acknowledgments
Nick Cano <nickcano.com>
CVSS Scoring
| Base Score | 7.1 |
| Attack Vector (AV) | Network(N) |
| Attack Complexity (AC) | High (H) |
| Privileges Required (PR) | Low (L) |
| User Interaction (UI) | Required (R) |
| Scope (S) | Unchanged(U) |
| Confidentiality (C) | High (H) |
| Integrity (I) | High (H) |
| Availability (A) | High (H) |
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H