CVE-2022-25814 — Incorrect Default Permissions in Mobile Devices

CWE-276 — Incorrect Default Permissions3 documents3 sources

Severity

7.8HIGHNVD

CNA5.5

EPSS

0.0%

top 97.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samsung Mobile Devices Google Android

Timeline

PublishedMar 10

Latest updateMar 11

Description

PendingIntent hijacking vulnerability in Wearable Manager Installer prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5samsung_mobile/samsung_mobile_devicesR(11), S(12) — SMR Mar-2022 Release 1

▶NVDgoogle/android11.0, 12.0+1

🔴Vulnerability Details

GHSA

GHSA-7xcq-9v27-4gw8: PendingIntent hijacking vulnerability in Wearable Manager Installer prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized act↗2022-03-11

▶

CVEList

CVE-2022-25814: PendingIntent hijacking vulnerability in Wearable Manager Installer prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized act↗2022-03-08

▶