CVE-2023-21422 — Improper Authorization in Mobile Devices

CWE-285 — Improper Authorization CWE-863 — Incorrect Authorization3 documents3 sources

Severity

5.5MEDIUMNVD

CNA5.7

EPSS

0.1%

top 80.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samsung Mobile Devices Samsung Android

Timeline

PublishedFeb 9

Description

Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Release 1 allows attackers to set custom DNS server without permission via binding WifiService.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5samsung_mobile/samsung_mobile_devicesR(11), S(12) — SMR Jan-2023 Release 1

▶NVDsamsung/android11.0, 12.0+1

🔴Vulnerability Details

GHSA

GHSA-fqp8-5p4x-f5mw: Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Release 1 allows attackers to set custom DNS server wi↗2023-02-09

▶

CVEList

CVE-2023-21422: Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Release 1 allows attackers to set custom DNS server wi↗2023-02-09

▶