CVE-2021-0932 — Confused Deputy in Google Android

4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 98.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Google Android

Timeline

PublishedDec 15

Latest updateDec 16

Description

In showNotification of NavigationModeController.java, there is a possible confused deputy due to an unsafe PendingIntent. This could lead to local escalation of privilege that allows actions performed as the System UI with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-173025705

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/androidAndroid-10

▶NVDgoogle/android10.0

▶googlegoogle/android

▶Androidplatform/frameworks_base10:0 — 10:2021-11-01

🔴Vulnerability Details

GHSA

GHSA-35cj-v3wc-rh8w: In showNotification of NavigationModeController↗2021-12-16

▶

OSV

CVE-2021-0932: In showNotification of NavigationModeController↗2021-11-01

▶

📋Vendor Advisories

Android

CVE-2021-0932: Android Security Bulletin 2021-11-01 CVE: CVE-2021-0932 Severity: HIGH Type: EoP Affected AOSP versions: 10 References: A-173025705↗2021-11-01

▶