CVE-2022-20441 — Incorrect Default Permissions in Google Android

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 97.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Google Android

Timeline

PublishedNov 8

Latest updateNov 9

Description

In navigateUpTo of Task.java, there is a possible way to launch an unexported intent handler due to a logic error in the code. This could lead to local escalation of privilege if the targeted app has an intent trampoline, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-238605611

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/androidAndroid-10 Android-11 Android-12 Android-12L Android-13

▶NVDgoogle/android5 versions+4

▶googlegoogle/android

▶Androidplatform/frameworks_base10:0 — 10:2022-11-01+4

🔴Vulnerability Details

GHSA

GHSA-pppm-qqpf-jj26: In navigateUpTo of Task↗2022-11-09

▶

OSV

CVE-2022-20441: In navigateUpTo of Task↗2022-11-01

▶

📋Vendor Advisories

Android

CVE-2022-20441: Android Security Bulletin 2022-11-01 CVE: CVE-2022-20441 Severity: HIGH Type: EoP Affected AOSP versions: 10, 11, 12, 12L, 13 References: A-238605611↗2022-11-01

▶