CVE-2022-20442 — UI Misrepresentation / Clickjacking in Google Android

CWE-1021 — UI Misrepresentation / Clickjacking5 documents5 sources

Severity

7.3HIGHNVD

EPSS

0.0%

top 98.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Packages Apps Packageinstaller Platform Packages Modules Permission Google Android

Timeline

PublishedDec 13

Description

In onCreate of ReviewPermissionsActivity.java, there is a possible way to grant permissions for a separate app with API level < 23 due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-176094367

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/androidAndroid-10 Android-11 Android-12 Android-12L

▶NVDgoogle/android10.0, 11.0, 12.0+2

▶Androidplatform/packages_modules_permission12:0 — 12:2022-12-01+1

▶Androidplatform/packages_apps_packageinstaller10:0 — 10:2022-12-01

🔴Vulnerability Details

GHSA

GHSA-r3jj-9x89-rjrv: In onCreate of ReviewPermissionsActivity↗2022-12-13

▶

CVEList

CVE-2022-20442: In onCreate of ReviewPermissionsActivity↗2022-12-13

▶

OSV

CVE-2022-20442: In onCreate of ReviewPermissionsActivity↗2022-12-01

▶

📋Vendor Advisories

Android

CVE-2022-20442: Android Security Bulletin 2022-12-01 CVE: CVE-2022-20442 Severity: HIGH Type: EoP Affected AOSP versions: 10, 11, 12, 12L References: A-176094367↗2022-12-01

▶