CVE-2021-39618 — Improper Privilege Management in Vendor Unbundled Google Packages Euiccgoogleprebuilt

CWE-269 — Improper Privilege Management4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 98.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Vendor Unbundled Google Packages Euiccgoogleprebuilt Google Android

Timeline

PublishedJan 14

Latest updateJan 15

Description

In multiple methods of EuiccNotificationManager.java, there is a possible way to install existing packages without user consent due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-196855999

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/androidAndroid-10 Android-11 Android-12 Android-9

▶NVDgoogle/android4 versions+3

▶googlegoogle/android

▶Androidplatform/vendor_unbundled_google_packages_euiccgoogleprebuilt9:0 — 9:2022-01-01+3

🔴Vulnerability Details

GHSA

GHSA-6422-47gp-w7v8: In multiple methods of EuiccNotificationManager↗2022-01-15

▶

OSV

CVE-2021-39618: In multiple methods of EuiccNotificationManager↗2022-01-01

▶

📋Vendor Advisories

Android

CVE-2021-39618: Android Security Bulletin 2022-01-01 CVE: CVE-2021-39618 Severity: HIGH Type: EoP Affected AOSP versions: 9, 10, 11, 12 References: A-196855999 *↗2022-01-01

▶