CVE-2024-34734Initialization of a Resource with an Insecure Default in Frameworks Base

CWE-1188Initialization of a Resource with an Insecure DefaultCWE-453Insecure Default Variable Initialization4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 77.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Frameworks BaseGoogle Android
Timeline
PublishedAug 15
Latest updateAug 16

Description

In onForegroundServiceButtonClicked of FooterActionsViewModel.kt, there is a possible way to disable the active VPN app from the lockscreen due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

Androidplatform/frameworks_base14-next:014-next:2024-08-01+2
CVEListV5google/android13, 14+1
NVDgoogle/android13.0, 14.0+1

Patches

Patch: android.googlesource.comPatch: source.android.com

🔴Vulnerability Details

2
GHSA
GHSA-67q8-hw3v-9fj4: In onForegroundServiceButtonClicked of FooterActionsViewModel2024-08-16
OSV
CVE-2024-34734: In onForegroundServiceButtonClicked of FooterActionsViewModel2024-08-01

📋Vendor Advisories

1
Android
CVE-2024-34734: Android Security Bulletin 2024-08-01 CVE: CVE-2024-34734 Severity: HIGH Type: EoP Affected AOSP versions: 13, 14 References: A-3047727092024-08-01