CVE-2020-0227Missing Authorization in Google Android

CWE-862Missing AuthorizationCWE-276Incorrect Default Permissions8 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 98.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Platform CTSPlatform Frameworks BaseGoogle Android
Timeline
PublishedJul 17
Latest updateMay 24

Description

In onCommand of CompanionDeviceManagerService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege allowing background data usage or launching from the background, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-129476618

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5google/android4 versions+3
NVDgoogle/android4 versions+3
Androidplatform/cts8.0:08.0:2020-07-01+3
Androidplatform/frameworks_base8.0:08.0:2020-07-01+3

Patches

Patch: source.android.comPatch: source.android.com

🔴Vulnerability Details

3
GHSA
GHSA-w2jf-83j8-x6v6: In onCommand of CompanionDeviceManagerService2022-05-24
CVEList
CVE-2020-0227: In onCommand of CompanionDeviceManagerService2020-07-17
OSV
CVE-2020-0227: In onCommand of CompanionDeviceManagerService2020-07-01

📋Vendor Advisories

4
Oracle
Oracle Oracle Communications Applications Risk Matrix: Adapters (Apache Axis) — CVE-2019-02272020-07-15
Android
CVE-2020-0227: Android Security Bulletin 2020-07-01 CVE: CVE-2020-0227 Severity: HIGH Type: EoP Affected AOSP versions: 82020-07-01
Oracle
Oracle Oracle Communications Applications Risk Matrix: Web Service (Apache Axis) — CVE-2019-02272020-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (Apache Axis) — CVE-2019-02272020-01-15
CVE-2020-0227 — Missing Authorization in Google Android | cvebase