CVE-2021-39808 — Missing Authorization in Google Android

CWE-862 — Missing Authorization CWE-269 — Improper Privilege Management4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 98.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Google Android

Timeline

PublishedApr 12

Latest updateApr 13

Description

In createNotificationChannelGroup of PreferencesHelper.java, there is a possible way for a service to run in foreground without user notification due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209966086

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/androidAndroid-10 Android-11 Android-12

▶NVDgoogle/android10.0, 11.0, 12.0+2

▶googlegoogle/android

▶Androidplatform/frameworks_base10:0 — 10:2022-04-01+2

Patches

Patch: source.android.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

GHSA

GHSA-pghj-jw56-c2j2: In createNotificationChannelGroup of PreferencesHelper↗2022-04-13

▶

OSV

CVE-2021-39808: In createNotificationChannelGroup of PreferencesHelper↗2022-04-01

▶

📋Vendor Advisories

Android

CVE-2021-39808: Android Security Bulletin 2022-04-01 CVE: CVE-2021-39808 Severity: HIGH Type: EoP Affected AOSP versions: 10, 11, 12 References: A-209966086↗2022-04-01

▶