CVE-2021-0922 — Missing Authorization in Google Android

CWE-862 — Missing Authorization5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 97.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform External Robolectric-shadows Platform Frameworks Base Platform Packages Apps Managedprovisioning +1 more

Timeline

PublishedDec 15

Latest updateDec 16

Description

In enforceCrossUserOrProfilePermission of PackageManagerService.java, there is a possible bypass of INTERACT_ACROSS_PROFILES permission due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-195630721

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5google/androidAndroid-11

▶NVDgoogle/android11.0

▶Androidplatform/frameworks_base11:0 — 11:2021-11-01

▶Androidplatform/external_robolectric-shadows11:0 — 11:2021-11-01

▶Androidplatform/packages_apps_managedprovisioning11:0 — 11:2021-11-01

🔴Vulnerability Details

GHSA

GHSA-pjj9-7rm3-86j3: In enforceCrossUserOrProfilePermission of PackageManagerService↗2021-12-16

▶

CVEList

CVE-2021-0922: In enforceCrossUserOrProfilePermission of PackageManagerService↗2021-12-15

▶

OSV

CVE-2021-0922: In enforceCrossUserOrProfilePermission of PackageManagerService↗2021-11-01

▶

📋Vendor Advisories

Android

CVE-2021-0922: Android Security Bulletin 2021-11-01 CVE: CVE-2021-0922 Severity: MEDIUM Type: EoP Affected AOSP versions: 11 References: A-195630721↗2021-11-01

▶