CVE-2021-0331 — UI Misrepresentation / Clickjacking in Google Android

CWE-1021 — UI Misrepresentation / Clickjacking5 documents5 sources

Severity

7.3HIGHNVD

EPSS

0.0%

top 90.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Packages Apps Settings Google Android

Timeline

PublishedFeb 10

Latest updateMay 24

Description

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value. This could lead to local escalation of privilege and notification access with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-170731783

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5google/androidAndroid-9 Android-10 Android-11 Android-8.1

▶NVDgoogle/android4 versions+3

▶Androidplatform/packages_apps_settings8.0:0 — 8.0:2021-02-01+4

Patches

Patch: source.android.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

GHSA

GHSA-9vc6-7g98-392v: In onCreate of NotificationAccessConfirmationActivity↗2022-05-24

▶

CVEList

CVE-2021-0331: In onCreate of NotificationAccessConfirmationActivity↗2021-02-10

▶

OSV

CVE-2021-0331: In onCreate of NotificationAccessConfirmationActivity↗2021-02-01

▶

📋Vendor Advisories

Android

CVE-2021-0331: Android Security Bulletin 2021-02-01 CVE: CVE-2021-0331 Severity: HIGH Type: EoP Affected AOSP versions: 8↗2021-02-01

▶