Samsung Mobile Devices vulnerabilities

CVE-2022-24932 [MEDIUM] CWE-424 CVE-2022-24932: Improper Protection of Alternate Path vulnerability in Setup wizard process prior to SMR Mar-2022 Re Improper Protection of Alternate Path vulnerability in Setup wizard process prior to SMR Mar-2022 Release 1 allows physical attacker package installation before finishing Setup wizard.

CVE-2022-24929 [LOW] CWE-926 CVE-2022-24929: Unprotected Activity in AppLock prior to SMR Mar-2022 Release 1 allows attacker to change the list o Unprotected Activity in AppLock prior to SMR Mar-2022 Release 1 allows attacker to change the list of locked app without authentication.

CVE-2022-25817 [LOW] CWE-287 CVE-2022-25817: Improper authentication in One UI Home prior to SMR Mar-2022 Release 1 allows attacker to generate p Improper authentication in One UI Home prior to SMR Mar-2022 Release 1 allows attacker to generate pinned-shortcut without user consent.

CVE-2022-23425 [CRITICAL] CWE-20 CVE-2022-23425: Improper input validation in Exynos baseband prior to SMR Feb-2022 Release 1 allows attackers to sen Improper input validation in Exynos baseband prior to SMR Feb-2022 Release 1 allows attackers to send arbitrary NAS signaling messages with fake base station.

CVE-2022-23427 [HIGH] CWE-20 CVE-2022-23427: PendingIntent hijacking vulnerability in KnoxPrivacyNoticeReceiver prior to SMR Feb-2022 Release 1 a PendingIntent hijacking vulnerability in KnoxPrivacyNoticeReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission via implicit Intent.

CVE-2022-22292 [HIGH] CWE-280 CVE-2022-22292: Unprotected dynamic receiver in Telecom prior to SMR Feb-2022 Release 1 allows untrusted application Unprotected dynamic receiver in Telecom prior to SMR Feb-2022 Release 1 allows untrusted applications to launch arbitrary activity.

CVE-2022-24925 [MEDIUM] CWE-20 CVE-2022-24925: Improper input validation vulnerability in SettingsProvider prior to Android S(12) allows privileged Improper input validation vulnerability in SettingsProvider prior to Android S(12) allows privileged attackers to trigger a permanent denial of service attack on a victim's devices.

CVE-2022-23429 [MEDIUM] CWE-125 CVE-2022-23429: An improper boundary check in audio hal service prior to SMR Feb-2022 Release 1 allows attackers to An improper boundary check in audio hal service prior to SMR Feb-2022 Release 1 allows attackers to read invalid memory and it leads to application crash.

CVE-2022-23426 [MEDIUM] CWE-94 CVE-2022-23426: A vulnerability using PendingIntent in DeX Home and DeX for PC prior to SMR Feb-2022 Release 1 allow A vulnerability using PendingIntent in DeX Home and DeX for PC prior to SMR Feb-2022 Release 1 allows attackers to access files with system privilege.

CVE-2022-22291 [MEDIUM] CWE-779 CVE-2022-22291: Logging of excessive data vulnerability in telephony prior to SMR Feb-2022 Release 1 allows privileg Logging of excessive data vulnerability in telephony prior to SMR Feb-2022 Release 1 allows privileged attackers to get Cell Location Information through log of user device.

CVE-2022-24001 [MEDIUM] CWE-200 CVE-2022-24001: Information disclosure vulnerability in Edge Panel prior to Android S(12) allows physical attackers Information disclosure vulnerability in Edge Panel prior to Android S(12) allows physical attackers to access screenshot in clipboard via Edge Panel.

CVE-2022-23999 [LOW] CWE-20 CVE-2022-23999: PendingIntent hijacking vulnerability in CpaReceiver prior to SMR Feb-2022 Release 1 allows local at PendingIntent hijacking vulnerability in CpaReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission in KnoxPrivacyNoticeReceiver via implicit Intent.

CVE-2022-24000 [LOW] CWE-20 CVE-2022-24000: PendingIntent hijacking vulnerability in DataUsageReminderReceiver prior to SMR Feb-2022 Release 1 a PendingIntent hijacking vulnerability in DataUsageReminderReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission in KnoxPrivacyNoticeReceiver via implicit Intent.

CVE-2022-22264 [HIGH] CWE-20 CVE-2022-22264: Improper sanitization of incoming intent in Dressroom prior to SMR Jan-2022 Release 1 allows local a Improper sanitization of incoming intent in Dressroom prior to SMR Jan-2022 Release 1 allows local attackers to read and write arbitrary files without permission.

CVE-2022-22265 [HIGH] CWE-703 CVE-2022-22265: An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release 1 allows arbitrary memory write and code execution.

CVE-2022-22268 [MEDIUM] CWE-285 CVE-2022-22268: Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate a Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode.

CVE-2022-22263 [MEDIUM] CWE-269 CVE-2022-22263: Unprotected dynamic receiver in SecSettings prior to SMR Jan-2022 Release 1 allows untrusted applica Unprotected dynamic receiver in SecSettings prior to SMR Jan-2022 Release 1 allows untrusted applications to launch arbitrary activity.

CVE-2022-22271 [MEDIUM] CWE-125 CVE-2022-22271: A missing input validation before memory copy in TIMA trustlet prior to SMR Jan-2022 Release 1 allow A missing input validation before memory copy in TIMA trustlet prior to SMR Jan-2022 Release 1 allows attackers to copy data from arbitrary memory.

CVE-2022-22272 [LOW] CWE-285 CVE-2022-22272: Improper authorization in TelephonyManager prior to SMR Jan-2022 Release 1 allows attackers to get I Improper authorization in TelephonyManager prior to SMR Jan-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PHONE_STATE permission

CVE-2022-22270 [LOW] CWE-94 CVE-2022-22270: An implicit Intent hijacking vulnerability in Dialer prior to SMR Jan-2022 Release 1 allows unprivil An implicit Intent hijacking vulnerability in Dialer prior to SMR Jan-2022 Release 1 allows unprivileged applications to access contact information.