CVE-2022-20350Improper Input Validation in Google Android

CWE-20Improper Input ValidationCWE-125Out-of-bounds Read5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 95.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Platform Frameworks BasePlatform Packages Apps CAR SettingsPlatform Packages Apps Settings+2 more
Timeline
PublishedAug 10
Latest updateAug 11

Description

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way to trick the victim to grant notification access to the wrong app due to improper input validation. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228178437

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages6 packages

CVEListV5google/androidAndroid-10 Android-11 Android-12 Android-12L
NVDgoogle/android4 versions+3
Androidplatform/frameworks_base10:010:2022-08-01+3
Androidplatform/packages_services_car10:010:2022-08-01+1
Androidplatform/packages_apps_settings10:010:2022-08-01+3

Patches

Patch: source.android.comPatch: source.android.com

🔴Vulnerability Details

3
GHSA
GHSA-2452-xqvj-2c63: In onCreate of NotificationAccessConfirmationActivity2022-08-11
CVEList
CVE-2022-20350: In onCreate of NotificationAccessConfirmationActivity2022-08-09
OSV
CVE-2022-20350: In onCreate of NotificationAccessConfirmationActivity2022-08-01

📋Vendor Advisories

1
Android
CVE-2022-20350: Android Security Bulletin 2022-08-01 CVE: CVE-2022-20350 Severity: HIGH Type: ID Affected AOSP versions: 10, 11, 12, 12L References: A-228178437 [2] [2022-08-01
CVE-2022-20350 — Improper Input Validation in Google | cvebase