CVE-2017-13176 — Improper Input Validation in INC Android

CWE-20 — Improper Input Validation4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 28.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google INC Android Google Android

Timeline

PublishedJan 12

Latest updateMay 14

Description

In the parseURL function of URLStreamHandler, there is improper input validation of the host field. This could lead to a remote elevation of privilege that could enable bypassing user interaction requirements with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-68341964.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDgoogle/android8 versions+7

▶CVEListV5google_inc/android8 versions+7

Patches

Patch: source.android.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

GHSA

GHSA-38fq-722f-5mfp: In the parseURL function of URLStreamHandler, there is improper input validation of the host field↗2022-05-14

▶

CVEList

CVE-2017-13176: In the parseURL function of URLStreamHandler, there is improper input validation of the host field↗2018-01-12

▶

📋Vendor Advisories

Android

CVE-2017-13176: Android Security Bulletin 2018-01-01 CVE: CVE-2017-13176 Severity: HIGH Type: EoP Affected AOSP versions: 5↗2018-01-01

▶