CVE-2020-0394UI Misrepresentation / Clickjacking in Google Android

CWE-1021UI Misrepresentation / ClickjackingCWE-1188Initialization of a Resource with an Insecure DefaultCWE-269Improper Privilege Management5 documents5 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 98.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Packages Apps SettingsGoogle Android
Timeline
PublishedSep 17
Latest updateMay 24

Description

In onCreate of BluetoothPairingDialog.java, there is a possible tapjacking vector due to an insecure default value. This could lead to local escalation of privilege and untrusted devices accessing contact lists with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-155648639

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5google/androidAndroid-8.0 Android-8.1 Android-9 Android-10 Android-11
NVDgoogle/android4 versions+3
Androidplatform/packages_apps_settings8.0:08.0:2020-09-01+3

🔴Vulnerability Details

3
GHSA
GHSA-8jfh-qgm5-rg54: In onCreate of BluetoothPairingDialog2022-05-24
CVEList
CVE-2020-0394: In onCreate of BluetoothPairingDialog2020-09-17
OSV
CVE-2020-0394: In onCreate of BluetoothPairingDialog2020-09-01

📋Vendor Advisories

1
Android
CVE-2020-0394: Android Security Bulletin 2020-09-01 CVE: CVE-2020-0394 Severity: HIGH Type: EoP Affected AOSP versions: 82020-09-01
CVE-2020-0394 — UI Misrepresentation / Clickjacking | cvebase