CVE-2022-20458Log File Information Exposure in Google Android

CWE-532Log File Information Exposure3 documents3 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 94.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Android
Timeline
PublishedJan 26
Latest updateApr 15

Description

The logs of sensitive information (PII) or hardware identifier should only be printed in Android "userdebug" or "eng" build. StatusBarNotification.getKey() could contain sensitive information. However, CarNotificationListener.java, it prints out the StatusBarNotification.getKey() directly in logs, which could contain user's account name (i.e. PII), in Android "user" build.Product: AndroidVersions: Android-12LAndroid ID: A-205567776

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5google/androidAndroid-12L
NVDgoogle/android12.1

🔴Vulnerability Details

2
VulDB
Google Android 12.0 CarNotificationListener.java StatusBarNotification.getKey log file (A-205567776 / EUVD-2022-25718)2026-04-15
GHSA
GHSA-m5r4-qhx5-2g4c: The logs of sensitive information (PII) or hardware identifier should only be printed in Android "userdebug" or "eng" build2023-01-26