CVE-2022-20145 — Google Android vulnerability

5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

6.4%

top 8.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Platform Packages Modules Connectivity Google Android

Timeline

PublishedJun 15

Latest updateJun 16

Description

In startLegacyVpnPrivileged of Vpn.java, there is a possible way to retrieve VPN credentials due to a protocol downgrade attack. This could lead to remote escalation of privilege if a malicious Wi-Fi AP is used, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-201660636

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/androidAndroid-11

▶NVDgoogle/android11.0

▶Androidplatform/frameworks_base12L-next:0 — 12L-next:2022-06-01+1

▶Androidplatform/packages_modules_connectivity12L-next:0 — 12L-next:2022-06-01

🔴Vulnerability Details

GHSA

GHSA-9q4r-5p5v-23xq: In startLegacyVpnPrivileged of Vpn↗2022-06-16

▶

CVEList

CVE-2022-20145: In startLegacyVpnPrivileged of Vpn↗2022-06-15

▶

OSV

CVE-2022-20145: In startLegacyVpnPrivileged of Vpn↗2022-06-01

▶

📋Vendor Advisories

Android

CVE-2022-20145: Android Security Bulletin 2022-06-01 CVE: CVE-2022-20145 Severity: CRITICAL Type: EoP Affected AOSP versions: 11 References: A-201660636↗2022-06-01

▶