CVE-2022-20219 — Cleartext Storage of Sensitive Info in Google Android

CWE-312 — Cleartext Storage of Sensitive Info CWE-311 — Missing Encryption of Sensitive Data4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 99.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Google Android

Timeline

PublishedJul 13

Latest updateJul 14

Description

In multiple functions of StorageManagerService.java and UserManagerService.java, there is a possible way to leave user's directories unencrypted due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-224585613

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5google/androidAndroid-10 Android-11 Android-12 Android-12L

▶NVDgoogle/android4 versions+3

▶googlegoogle/android

▶Androidplatform/frameworks_base10:0 — 10:2022-07-01+3

🔴Vulnerability Details

GHSA

GHSA-cj64-g34r-r9fr: In multiple functions of StorageManagerService↗2022-07-14

▶

OSV

CVE-2022-20219: In multiple functions of StorageManagerService↗2022-07-01

▶

📋Vendor Advisories

Android

CVE-2022-20219: Android Security Bulletin 2022-07-01 CVE: CVE-2022-20219 Severity: HIGH Type: ID Affected AOSP versions: 10, 11, 12, 12L References: A-224585613 [2] [↗2022-07-01

▶