CVE-2024-0015Improper Handling of Insufficient Permissions or Privileges in Frameworks Base

CWE-280Improper Handling of Insufficient Permissions or PrivilegesCWE-284Improper Access Control7 documents6 sources
Severity
7.8HIGHNVD
CISA9.8
EPSS
4.0%
top 11.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Frameworks BaseGoogle Android
Timeline
PublishedFeb 16
Latest updateNov 15

Description

In convertToComponentName of DreamService.java, there is a possible way to launch arbitrary protected activities due to intent redirection. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

Androidplatform/frameworks_base14-next:014-next:2024-01-01+4
CVEListV5google/android4 versions+3
NVDgoogle/android4 versions+3

Patches

Patch: android.googlesource.comPatch: source.android.comPatch: android.googlesource.com

🔴Vulnerability Details

2
GHSA
GHSA-5wf4-qch9-828f: In convertToComponentName of DreamService2024-02-16
OSV
CVE-2024-0015: In convertToComponentName of DreamService2024-01-01

📋Vendor Advisories

2
CISA
SonicWall SonicOS Improper Access Control Vulnerability2024-09-09
Android
CVE-2024-0015: Android Security Bulletin 2024-01-01 CVE: CVE-2024-0015 Severity: HIGH Type: EoP Affected AOSP versions: 11, 12, 12L, 13 References: A-3000902042024-01-01

🕵️Threat Intelligence

1
Bleepingcomputer
Palo Alto Networks warns of critical RCE zero-day exploited in attacks2024-11-15