CVE-2024-40650 — Missing Authorization in Packages Apps Settings

CWE-862 — Missing Authorization CWE-358 — Improperly Implemented Security Check for Standard5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 99.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Packages Apps Settings Google Android

Timeline

PublishedSep 11

Description

In wifi_item_edit_content of styles.xml , there is a possible FRP bypass due to Missing check for FRP state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶Androidplatform/packages_apps_settings15-next:0 — 15-next:2024-09-01+4

▶CVEListV5google/android4 versions+3

▶NVDgoogle/android4 versions+3

Patches

Patch: android.googlesource.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

GHSA

GHSA-hh5f-w8h8-vh35: In wifi_item_edit_content of styles↗2024-09-11

▶

CVEList

CVE-2024-40650: In wifi_item_edit_content of styles↗2024-09-11

▶

OSV

CVE-2024-40650: In wifi_item_edit_content of styles↗2024-09-01

▶

📋Vendor Advisories

Android

CVE-2024-40650: Android Security Bulletin 2024-09-01 CVE: CVE-2024-40650 Severity: HIGH Type: EoP Affected AOSP versions: 12, 12L, 13, 14 References: A-293199910↗2024-09-01

▶