CVE-2020-15509

MEDIUM

Nordic Semiconductor Android BLE & DFU Libraries < 2.2.1 & < 1.10.4 - Cleartext Transmission of Sensitive Information

Title source: llm

Description

Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted. The problem is in bond creation (e.g., internalCreateBond in BleManagerHandler).

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/NordicSemiconductor/Android-BLE-Library/commits/master

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/NordicSemiconductor/Android-DFU-Library/commits/release

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://secretdiary.ninja/index.php/2020/07/03/norec-attack-stripping-ble-encryption-from-nordicsemis-android-library-cve-2020-15509/

Scores

CVSS v3 6.5

EPSS 0.0054

EPSS Percentile 41.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-319

Status published

Products (2)

nordicsemi/android_ble_library < 2.2.1

nordicsemi/dfu_library < 1.10.4

Published Jul 07, 2020

Tracked Since Feb 18, 2026