CVE-2022-20145
published 2022-06-15CVE-2022-20145: In startLegacyVpnPrivileged of Vpn.java, there is a possible way to retrieve VPN credentials due to a protocol downgrade attack. This could lead to remote…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
In startLegacyVpnPrivileged of Vpn.java, there is a possible way to retrieve VPN credentials due to a protocol downgrade attack. This could lead to remote escalation of privilege if a malicious Wi-Fi AP is used, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-201660636
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| platform | frameworks_base | >= 11:0 < 11:2022-06-01 | 11:2022-06-01 |
| platform | frameworks_base | >= 12L-next:0 < 12L-next:2022-06-01 | 12L-next:2022-06-01 |
| platform | packages_modules_connectivity | >= 12L-next:0 < 12L-next:2022-06-01 | 12L-next:2022-06-01 |