This page aggregates publicly disclosed CVE and security risk information related to health, with CVSS, EPSS, publication dates, and vulnerability intelligence data to help assess potential risk and remediation priority.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2020-14292 | In the COVIDSafe application through 1.0.21 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows attackers to trick the application into establishing a connection over Bluetooth BR/EDR transport, which reveals the public Bluetooth address of the victim's phone without authorisation, bypassing the Bluetooth address randomisation protection in the user's phone. | [email protected] | 5.7 | 1.31% | 2020-09-09 | 2026-06-16 |
| CVE-2020-12860 | COVIDSafe through v1.0.17 allows a remote attacker to access phone name and model information because a BLE device can have four roles and COVIDSafe uses all of them. This allows for re-identification of a device, and potentially identification of the owner's name. | [email protected] | 5.3 | 1.02% | 2020-05-18 | 2026-06-16 |
| CVE-2020-12859 | Unnecessary fields in the OpenTrace/BlueTrace protocol in COVIDSafe through v1.0.17 allow a remote attacker to identify a device model by observing cleartext payload data. This allows re-identification of devices, especially less common phone models or those in low-density situations. | [email protected] | 5.3 | 0.69% | 2020-05-18 | 2026-06-16 |
| CVE-2020-12858 | Non-reinitialisation of random data in the advertising payload in COVIDSafe v1.0.15 and v1.0.16 allows a remote attacker to re-identify Android devices running COVIDSafe by scanning for their advertising beacons. | [email protected] | 7.5 | 1.81% | 2020-05-18 | 2026-06-16 |
| CVE-2020-12857 | Caching of GATT characteristic values (TempID) in COVIDSafe v1.0.15 and v1.0.16 allows a remote attacker to long-term re-identify an Android device running COVIDSafe. | [email protected] | 7.5 | 1.63% | 2020-05-18 | 2026-06-16 |
| CVE-2020-12856 | OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used. | [email protected] | 9.8 | 5.14% | 2020-05-18 | 2026-06-16 |
| CVE-2020-12717 | The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected. | [email protected] | 6.5 | 1.39% | 2020-05-14 | 2026-06-16 |
| CVE-2014-7360 | The How To Boil Eggs (aka com.appmakr.app842173) application 251333 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | [email protected] | 5.4 | 0.27% | 2014-10-19 | 2026-06-16 |