CVE-2021-1020 — Improper Input Validation in Google Android

CWE-20 — Improper Input Validation26 documents5 sources

Severity

7.3HIGHNVD

EPSS

0.0%

top 96.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Google Android Msrc Microsoft Edge

Timeline

PublishedDec 15

Latest updateDec 16

Description

In snoozeNotification of NotificationListenerService.java, there is a possible way to disable notification for an arbitrary user due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-195111725

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/androidAndroid-12

▶NVDgoogle/android12.0

▶Androidplatform/frameworks_base12:0 — 12:2021-12-01

▶msrcmsrc/microsoft_edge

🔴Vulnerability Details

GHSA

GHSA-c6qm-6524-j252: In snoozeNotification of NotificationListenerService↗2021-12-16

▶

OSV

CVE-2021-1020: In snoozeNotification of NotificationListenerService↗2021-12-01

▶

📋Vendor Advisories

Microsoft

Chromium: CVE-2021-37988 Use after free in Profiles↗2021-10-12

▶

Microsoft

Chromium: CVE-2021-37985 Use after free in V8↗2021-10-12

▶

Microsoft

Chromium: CVE-2021-38002 Use after free in Web Transport↗2021-10-12

▶

Microsoft

Chromium: CVE-2021-38000 Insufficient validation of untrusted input in Intents↗2021-10-12

▶

Microsoft

Chromium: CVE-2021-37990 Inappropriate implementation in WebView↗2021-10-12

▶