CVE-2021-25476
published 2021-10-06CVE-2021-25476: An information disclosure vulnerability in Widevine TA log prior to SMR Oct-2021 Release 1 allows attackers to bypass the ASLR protection mechanism in TEE.
PriorityP415medium4.4CVSS 3.1
AVLACLPRHUINSUCHINAN
EPSS
0.10%
0.9th percentile
An information disclosure vulnerability in Widevine TA log prior to SMR Oct-2021 Release 1 allows attackers to bypass the ASLR protection mechanism in TEE.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| samsung_mobile | samsung_mobile_devices | >= Select Q(10.0), R(11.0) devices with Exynos chipsets < SMR Oct-2021 Release 1 | SMR Oct-2021 Release 1 |
CVSS provenance
nvdv3.14.4MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Exposure of Sensitive Information to an Unauthorized Actor
mitre_cwe
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include: private, personal information, such as personal messages, financial data, health records, geographic location, or contact details system status and environment, such as the operating system and installed packages business secrets and intellectual property network status and confi
CWE
Debug Messages Revealing Unnecessary Information
mitre_cwe
CWE-1295 Debug Messages Revealing Unnecessary Information
CWE-1295: Debug Messages Revealing Unnecessary Information
The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.
Debug messages are messages that help troubleshoot an issue by revealing the internal state of the system. For example, debug data in design can be exposed through internal memory array dumps or boot logs through interfaces like UART via TAP commands, scan chain, etc. Thus, the more information contained in a debug message, the easier it is to debug. However, there is also the risk of revealing information that could help an attacker either decipher a vulnerability, and/or gain a better understanding of the system. Thus, this extra information could lower the "security by obscurity" factor.
2021-10-06
Published