CVE-2017-13312 — Incorrect Default Permissions in Google Android

CWE-276 — Incorrect Default Permissions3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 92.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Android

Timeline

PublishedNov 15

Latest updateNov 16

Description

In createFromParcel of MediaCas.java, there is a possible parcel read/write mismatch due to improper input validation. This could lead to local escalation of privilege where an app can start an activity with system privileges with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5google/android8

▶NVDgoogle/android8.0

▶googlegoogle/android

🔴Vulnerability Details

GHSA

GHSA-mcr8-cmcm-2p3c: In createFromParcel of MediaCas↗2024-11-16

▶

📋Vendor Advisories

Android

CVE-2017-13312: Android Security Bulletin 2018-05-01 CVE: CVE-2017-13312 Severity: HIGH Type: EoP Affected AOSP versions: 8↗2018-05-01

▶