CVE-2020-0246Missing Authorization in Google Android

CWE-862Missing Authorization6 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 96.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Frameworks OPT TelephonyGoogle Android
Timeline
PublishedOct 14
Latest updateMay 24

Description

In getCarrierPrivilegeStatus of UiccAccessRule.java, there is a missing permission check. This could lead to local information disclosure of EID data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-159062405

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5google/androidAndroid-10 Android-11
NVDgoogle/android10.0, 11.0+1
Androidplatform/frameworks_opt_telephony10:010:2020-10-01+1

🔴Vulnerability Details

3
GHSA
GHSA-4hx2-5qrx-wwr8: In getCarrierPrivilegeStatus of UiccAccessRule2022-05-24
CVEList
CVE-2020-0246: In getCarrierPrivilegeStatus of UiccAccessRule2020-10-14
OSV
CVE-2020-0246: In getCarrierPrivilegeStatus of UiccAccessRule2020-10-01

📋Vendor Advisories

1
Android
CVE-2020-0246: Android Security Bulletin 2020-10-01 CVE: CVE-2020-0246 Severity: HIGH Type: ID Affected AOSP versions: 10, 11 References: A-1590624052020-10-01

💬Community

1
Bugzilla
CVE-2020-25640 wildfly: resource adapter logs plaintext JMS password at warning level on connection error2020-09-22
CVE-2020-0246 — Missing Authorization in Google Android | cvebase