CVE-2021-39691 — UI Misrepresentation / Clickjacking in Google Android

CWE-1021 — UI Misrepresentation / Clickjacking5 documents5 sources

Severity

7.3HIGHNVD

EPSS

0.0%

top 98.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Platform Frameworks Native Platform Packages Apps Launcher3 +2 more

Timeline

PublishedJun 15

Latest updateJun 16

Description

In WindowManager, there is a possible tapjacking attack due to an incorrect window flag when processing user input. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-157929241

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5google/androidAndroid-10 Android-11 Android-12

▶NVDgoogle/android10.0, 11.0, 12.0+2

▶Androidplatform/frameworks_base12L-next:0 — 12L-next:2022-06-01+2

▶Androidplatform/frameworks_native10:0 — 10:2022-06-01+1

▶Androidplatform/packages_apps_launcher311:0 — 11:2022-06-01+1

🔴Vulnerability Details

GHSA

GHSA-4fq5-hp4p-wwmv: In WindowManager, there is a possible tapjacking attack due to an incorrect window flag when processing user input↗2022-06-16

▶

CVEList

CVE-2021-39691: In WindowManager, there is a possible tapjacking attack due to an incorrect window flag when processing user input↗2022-06-15

▶

OSV

CVE-2021-39691: In WindowManager, there is a possible tapjacking attack due to an incorrect window flag when processing user input↗2022-06-01

▶

📋Vendor Advisories

Android

CVE-2021-39691: Android Security Bulletin 2022-06-01 CVE: CVE-2021-39691 Severity: HIGH Type: EoP Affected AOSP versions: 10, 11, 12 References: A-157929241↗2022-06-01

▶