CVE-2022-20240Missing Authorization in Google Android

CWE-862Missing AuthorizationCWE-276Incorrect Default Permissions6 documents5 sources
Severity
2.3LOWNVD
EPSS
0.0%
top 96.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Platform Frameworks BasePlatform Packages Modules WifiGoogle Android
Timeline
PublishedDec 13

Description

In sOpAllowSystemRestrictionBypass of AppOpsManager.java, there is a possible leak of location information due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-231496105

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 0.8 | Impact: 1.4

Affected Packages4 packages

CVEListV5google/androidAndroid-12 Android-12L
NVDgoogle/android12.0
Androidplatform/frameworks_base12:012:2022-12-01+1
Androidplatform/packages_modules_wifi12:012:2022-12-01+1

🔴Vulnerability Details

4
CVEList
CVE-2022-20240: In sOpAllowSystemRestrictionBypass of AppOpsManager2022-12-13
GHSA
GHSA-cpcw-3j2g-7q8g: In sOpAllowSystemRestrictionBypass of AppOpsManager2022-12-13
OSV
CVE-2022-20240: In sOpAllowSystemRestrictionBypass of AppOpsManager2022-12-13
OSV
CVE-2022-20240: In sOpAllowSystemRestrictionBypass of AppOpsManager2022-12-01

📋Vendor Advisories

1
Android
CVE-2022-20240: Android Security Bulletin 2022-12-01 CVE: CVE-2022-20240 Severity: HIGH Type: EoP Affected AOSP versions: 12, 12L References: A-231496105 [2] [3] [4]2022-12-01
CVE-2022-20240 — Missing Authorization in Google | cvebase