CVE-2022-28782 — Improper Protection of Alternate Path in Mobile Devices

CWE-424 — Improper Protection of Alternate Path CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.6MEDIUMNVD

EPSS

0.0%

top 95.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samsung Mobile Devices Google Android

Timeline

PublishedMay 3

Latest updateMay 4

Description

Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before completion of Setup wizard. The patch blocks entry point of the vulnerability.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5samsung_mobile/samsung_mobile_devicesSelect R(11), S(12) devices — SMR May-2022 Release 1

▶NVDgoogle/android11.0, 12.0+1

🔴Vulnerability Details

GHSA

GHSA-wr3g-x329-q53c: Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before complet↗2022-05-04

▶

CVEList

CVE-2022-28782: Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before complet↗2022-05-03

▶