CVE-2024-34721 — Insecure Storage of Sensitive Information in Packages Providers Mediaprovider

CWE-922 — Insecure Storage of Sensitive Information5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 91.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Packages Providers Mediaprovider Google Android

Timeline

PublishedJul 9

Description

In ensureFileColumns of MediaProvider.java, there is a possible disclosure of files owned by another user due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Androidplatform/packages_providers_mediaprovider14-next:0 — 14-next:2024-07-01+4

▶CVEListV5google/android4 versions+3

▶NVDgoogle/android4 versions+3

Patches

Patch: android.googlesource.com ↗Patch: source.android.com ↗Patch: android.googlesource.com ↗

🔴Vulnerability Details

GHSA

GHSA-2cgp-j8vp-ww2f: In ensureFileColumns of MediaProvider↗2024-07-09

▶

CVEList

CVE-2024-34721: In ensureFileColumns of MediaProvider↗2024-07-09

▶

OSV

CVE-2024-34721: In ensureFileColumns of MediaProvider↗2024-07-01

▶

📋Vendor Advisories

Android

CVE-2024-34721: Android Security Bulletin 2024-07-01 CVE: CVE-2024-34721 Severity: HIGH Type: ID Affected AOSP versions: 12, 12L, 13, 14 References: A-294406604↗2024-07-01

▶