CVE-2021-25393 — Code Injection in Mobile Devices

CWE-94 — Code Injection CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

5.5MEDIUMNVD

CNA6.6

EPSS

0.0%

top 92.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samsung Mobile Devices Google Android

Timeline

PublishedJun 11

Latest updateMay 24

Description

Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid data.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5samsung_mobile/samsung_mobile_devicesQ(10.0) , R(11.0) — SMR MAY-2021 Release 1

▶NVDgoogle/android10.0, 11.0+1

🔴Vulnerability Details

GHSA

GHSA-59c3-pmvg-hgmm: Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid↗2022-05-24

▶

CVEList

CVE-2021-25393: Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid↗2021-06-11

▶