CVE-2022-20011 — Missing Authorization in Google Android

CWE-862 — Missing Authorization6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 83.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Google Android Debian Android-platform-frameworks-base

Timeline

PublishedMay 10

Latest updateMay 11

Description

In getArray of NotificationManagerService.java , there is a possible leak of one user notifications to another due to missing check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-214999128

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5google/androidAndroid-10 Android-11 Android-12 Android-12L

▶NVDgoogle/android4 versions+3

▶googlegoogle/android

▶debiandebian/android-platform-frameworks-base

▶Androidplatform/frameworks_base10:0 — 10:2022-05-01+3

Patches

Patch: source.android.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

GHSA

GHSA-fhf6-wwc5-f233: In getArray of NotificationManagerService↗2022-05-11

▶

OSV

CVE-2022-20011: In getArray of NotificationManagerService↗2022-05-10

▶

OSV

CVE-2022-20011: In getArray of NotificationManagerService↗2022-05-01

▶

📋Vendor Advisories

Android

CVE-2022-20011: Android Security Bulletin 2022-05-01 CVE: CVE-2022-20011 Severity: HIGH Type: ID Affected AOSP versions: 10, 11, 12, 12L References: A-214999128↗2022-05-01

▶

Debian

CVE-2022-20011: android-platform-frameworks-base - In getArray of NotificationManagerService.java , there is a possible leak of one...↗2022

▶