CVE-2022-20497 — Sensitive Information Exposure in Google Android

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

4.6MEDIUMNVD

EPSS

0.0%

top 91.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Google Android

Timeline

PublishedDec 13

Description

In updatePublicMode of NotificationLockscreenUserManagerImpl.java, there is a possible way to reveal sensitive notifications on the lockscreen due to an incorrect state transition. This could lead to local information disclosure with physical access required and an app that runs above the lockscreen, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-246301979

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5google/androidAndroid-12 Android-12L Android-13

▶NVDgoogle/android12.0, 12.1, 13.0+2

▶googlegoogle/android

▶Androidplatform/frameworks_base12:0 — 12:2022-12-01+2

Patches

Patch: source.android.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

GHSA

GHSA-5xfh-4pqx-pm43: In updatePublicMode of NotificationLockscreenUserManagerImpl↗2022-12-13

▶

OSV

CVE-2022-20497: In updatePublicMode of NotificationLockscreenUserManagerImpl↗2022-12-01

▶

📋Vendor Advisories

Android

CVE-2022-20497: Android Security Bulletin 2022-12-01 CVE: CVE-2022-20497 Severity: HIGH Type: ID Affected AOSP versions: 12, 12L, 13 References: A-246301979↗2022-12-01

▶