CVE-2022-20220 — Path Traversal in Google Android

CWE-22 — Path Traversal6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 97.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Packages Providers Contactsprovider Google Android

Timeline

PublishedJul 13

Latest updateAug 9

Description

In openFile of CallLogProvider.java, there is a possible permission bypass due to a path traversal error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-219015884

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5google/androidAndroid-12 Android-12L

▶NVDgoogle/android12.0, 12.1+1

▶Androidplatform/packages_providers_contactsprovider12:0 — 12:2022-07-05+1

Patches

Patch: source.android.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

GHSA

GHSA-f6hg-99jw-r4ch: In openFile of CallLogProvider↗2022-07-14

▶

CVEList

CVE-2022-20220: In openFile of CallLogProvider↗2022-07-13

▶

OSV

CVE-2022-20220: In openFile of CallLogProvider↗2022-07-01

▶

📋Vendor Advisories

Microsoft

CERT/CC: CVE-20220-34303 Crypto Pro Boot Loader Bypass↗2022-08-09

▶

Android

CVE-2022-20220: Android Security Bulletin 2022-07-01 CVE: CVE-2022-20220 Severity: HIGH Type: EoP Affected AOSP versions: 12, 12L References: A-219015884↗2022-07-01

▶