CVE-2021-39619Improper Privilege Management in Google Android

CWE-269Improper Privilege Management4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 98.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Frameworks BaseGoogle Android
Timeline
PublishedFeb 11
Latest updateFeb 12

Description

In updatePackageMappingsData of UsageStatsService.java, there is a possible way to bypass security and privacy settings of app usage due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-197399948

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5google/androidAndroid-11 Android-12
NVDgoogle/android11.0, 12.0+1
Androidplatform/frameworks_base11:011:2022-02-01+1

Patches

Patch: source.android.comPatch: source.android.com

🔴Vulnerability Details

2
GHSA
GHSA-jf3f-g536-j432: In updatePackageMappingsData of UsageStatsService2022-02-12
OSV
CVE-2021-39619: In updatePackageMappingsData of UsageStatsService2022-02-01

📋Vendor Advisories

1
Android
CVE-2021-39619: Android Security Bulletin 2022-02-01 CVE: CVE-2021-39619 Severity: HIGH Type: EoP Affected AOSP versions: 11, 12 References: A-1973999482022-02-01
CVE-2021-39619 — Improper Privilege Management | cvebase