CVE-2021-39625 — Improper Privilege Management in Google Android

CWE-269 — Improper Privilege Management4 documents4 sources

Severity

7.3HIGHNVD

EPSS

0.0%

top 98.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Vendor Unbundled Google Packages Euiccgoogleprebuilt Google Android

Timeline

PublishedJan 14

Latest updateJan 15

Description

In showCarrierAppInstallationNotification of EuiccNotificationManager.java, there is a possible way to gain an access to MediaProvider content due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-194695347

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/androidAndroid-10 Android-11 Android-12 Android-9

▶NVDgoogle/android4 versions+3

▶googlegoogle/android

▶Androidplatform/vendor_unbundled_google_packages_euiccgoogleprebuilt9:0 — 9:2022-01-01+3

🔴Vulnerability Details

GHSA

GHSA-mhq3-2c6r-3jxr: In showCarrierAppInstallationNotification of EuiccNotificationManager↗2022-01-15

▶

OSV

CVE-2021-39625: In showCarrierAppInstallationNotification of EuiccNotificationManager↗2022-01-01

▶

📋Vendor Advisories

Android

CVE-2021-39625: Android Security Bulletin 2022-01-01 CVE: CVE-2021-39625 Severity: HIGH Type: EoP Affected AOSP versions: 9, 10, 11, 12 References: A-194695347 *↗2022-01-01

▶