Samsung Mobile Devices vulnerabilities

CVE-2023-21421 [HIGH] CWE-280 CVE-2023-21421: Improper Handling of Insufficient Permissions or Privileges vulnerability in KnoxCustomManagerServic Improper Handling of Insufficient Permissions or Privileges vulnerability in KnoxCustomManagerService prior to SMR Jan-2023 Release 1 allows attacker to access device SIM PIN.

CVE-2023-21423 [MEDIUM] CWE-285 CVE-2023-21423: Improper authorization vulnerability in ChnFileShareKit prior to SMR Jan-2023 Release 1 allows attac Improper authorization vulnerability in ChnFileShareKit prior to SMR Jan-2023 Release 1 allows attacker to control BLE advertising without permission using unprotected action.

CVE-2023-21427 [MEDIUM] CWE-284 CVE-2023-21427: Improper access control vulnerability in NfcTile prior to SMR Jan-2023 Release 1 allows to attacker Improper access control vulnerability in NfcTile prior to SMR Jan-2023 Release 1 allows to attacker to use NFC without user recognition.

CVE-2023-21440 [MEDIUM] CWE-285 CVE-2023-21440: Improper access control vulnerability in WindowManagerService prior to SMR Feb-2023 Release 1 allows Improper access control vulnerability in WindowManagerService prior to SMR Feb-2023 Release 1 allows attackers to take a screen capture.

CVE-2023-21422 [MEDIUM] CWE-285 CVE-2023-21422: Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Rele Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Release 1 allows attackers to set custom DNS server without permission via binding WifiService.

CVE-2023-21437 [MEDIUM] CWE-287 CVE-2023-21437: Improper access control vulnerability in Phone application prior to SMR Feb-2023 Release 1 allows lo Improper access control vulnerability in Phone application prior to SMR Feb-2023 Release 1 allows local attackers to access sensitive information via implicit broadcast.

CVE-2023-21426 [MEDIUM] CWE-798 CVE-2023-21426: Hardcoded AES key to encrypt cardemulation PINs in NFC prior to SMR Jan-2023 Release 1 allows attack Hardcoded AES key to encrypt cardemulation PINs in NFC prior to SMR Jan-2023 Release 1 allows attackers to access cardemulation PIN.

CVE-2023-21425 [MEDIUM] CWE-287 CVE-2023-21425: Improper access control vulnerability in telecom application prior to SMR JAN-2023 Release 1 allows Improper access control vulnerability in telecom application prior to SMR JAN-2023 Release 1 allows local attackers to get sensitive information.

CVE-2023-21435 [MEDIUM] CWE-200 CVE-2023-21435: Exposure of Sensitive Information vulnerability in Fingerprint TA prior to SMR Feb-2023 Release 1 al Exposure of Sensitive Information vulnerability in Fingerprint TA prior to SMR Feb-2023 Release 1 allows attackers to access the memory address information via log.

CVE-2023-21424 [LOW] CWE-285 CVE-2023-21424: Improper Handling of Insufficient Permissions or Privileges vulnerability in SemChameleonHelper prio Improper Handling of Insufficient Permissions or Privileges vulnerability in SemChameleonHelper prior to SMR Jan-2023 Release 1 allows attacker to modify network related values, network code, carrier id and operator brand.

CVE-2023-21429 [LOW] CWE-285 CVE-2023-21429: Improper usage of implict intent in ePDG prior to SMR JAN-2023 Release 1 allows attacker to access S Improper usage of implict intent in ePDG prior to SMR JAN-2023 Release 1 allows attacker to access SSID.

CVE-2023-21436 [LOW] CWE-285 CVE-2023-21436: Improper usage of implicit intent in Contacts prior to SMR Feb-2023 Release 1 allows attacker to get Improper usage of implicit intent in Contacts prior to SMR Feb-2023 Release 1 allows attacker to get account ID.

CVE-2023-21428 [LOW] CWE-20 CVE-2023-21428: Improper input validation vulnerability in TelephonyUI prior to SMR Jan-2023 Release 1 allows attack Improper input validation vulnerability in TelephonyUI prior to SMR Jan-2023 Release 1 allows attackers to configure Preferred Call. The patch removes unused code.

CVE-2023-21438 [LOW] CWE-284 CVE-2023-21438: Improper logic in HomeScreen prior to SMR Feb-2023 Release 1 allows physical attacker to access App Improper logic in HomeScreen prior to SMR Feb-2023 Release 1 allows physical attacker to access App preview protected by Secure Folder.

CVE-2022-39908 [HIGH] CWE-367 CVE-2022-39908: TOCTOU vulnerability in Samsung decoding library for video thumbnails prior to SMR Dec-2022 Release TOCTOU vulnerability in Samsung decoding library for video thumbnails prior to SMR Dec-2022 Release 1 allows local attacker to perform Out-Of-Bounds Write.

CVE-2022-39902 [HIGH] CWE-285 CVE-2022-39902: Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call.

CVE-2022-39907 [HIGH] CWE-190 CVE-2022-39907: Integer overflow vulnerability in Samsung decoding library for video thumbnails prior to SMR Dec-202 Integer overflow vulnerability in Samsung decoding library for video thumbnails prior to SMR Dec-2022 Release 1 allows local attacker to perform Out-Of-Bounds Write.

CVE-2022-39897 [MEDIUM] CWE-200 CVE-2022-39897: Exposure of Sensitive Information vulnerability in kernel prior to SMR Dec-2022 Release 1 allows att Exposure of Sensitive Information vulnerability in kernel prior to SMR Dec-2022 Release 1 allows attackers to access the kernel address information via log.

CVE-2022-39900 [MEDIUM] CWE-284 CVE-2022-39900: Improper access control vulnerability in Nice Catch prior to SMR Dec-2022 Release 1 allows physical Improper access control vulnerability in Nice Catch prior to SMR Dec-2022 Release 1 allows physical attackers to access contents of all toast generated in the application installed in Secure Folder through Nice Catch.

CVE-2022-39905 [MEDIUM] CWE-285 CVE-2022-39905: Implicit intent hijacking vulnerability in Telecom application prior to SMR Dec-2022 Release 1 allow Implicit intent hijacking vulnerability in Telecom application prior to SMR Dec-2022 Release 1 allows attacker to access sensitive information via implicit intent.