Samsung Mobile Devices vulnerabilities

CVE-2022-39899 [MEDIUM] CWE-287 CVE-2022-39899: Improper authentication vulnerability in Samsung WindowManagerService prior to SMR Dec-2022 Release Improper authentication vulnerability in Samsung WindowManagerService prior to SMR Dec-2022 Release 1 allows attacker to send the input event using S Pen gesture.

CVE-2022-39901 [MEDIUM] CWE-287 CVE-2022-39901: Improper authentication in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to Improper authentication in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to disable the network traffic encryption between UE and gNodeB.

CVE-2022-39904 [LOW] CWE-200 CVE-2022-39904: Exposure of Sensitive Information vulnerability in Samsung Settings prior to SMR Dec-2022 Release 1 Exposure of Sensitive Information vulnerability in Samsung Settings prior to SMR Dec-2022 Release 1 allows local attackers to access the Network Access Identifier via log.

CVE-2022-39898 [LOW] CWE-284 CVE-2022-39898: Improper access control vulnerability in IIccPhoneBook prior to SMR Dec-2022 Release 1 allows attack Improper access control vulnerability in IIccPhoneBook prior to SMR Dec-2022 Release 1 allows attackers to access some information of usim.

CVE-2022-39906 [LOW] CWE-284 CVE-2022-39906: Improper access control vulnerability in SecTelephonyProvider prior to SMR Dec-2022 Release 1 allows Improper access control vulnerability in SecTelephonyProvider prior to SMR Dec-2022 Release 1 allows attackers to access message information.

CVE-2022-39914 [LOW] CWE-200 CVE-2022-39914: Exposure of Sensitive Information from an Unauthorized Actor vulnerability in Samsung DisplayManager Exposure of Sensitive Information from an Unauthorized Actor vulnerability in Samsung DisplayManagerService prior to Android T(13) allows local attacker to access connected DLNA device information.

CVE-2022-39903 [LOW] CWE-200 CVE-2022-39903: Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attac Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.

CVE-2022-39913 [LOW] CWE-200 CVE-2022-39913: Exposure of Sensitive Information to an Unauthorized Actor in Persona Manager prior to Android T(13) Exposure of Sensitive Information to an Unauthorized Actor in Persona Manager prior to Android T(13) allows local attacker to access user profiles information.

CVE-2022-39895 [LOW] CWE-284 CVE-2022-39895: Improper access control vulnerability in ContactListUtils in Phone prior to SMR Dec-2022 Release 1 a Improper access control vulnerability in ContactListUtils in Phone prior to SMR Dec-2022 Release 1 allows to access contact group information via implicit intent.

CVE-2022-39912 [LOW] CWE-280 CVE-2022-39912: Improper handling of insufficient permissions vulnerability in setSecureFolderPolicy in PersonaManag Improper handling of insufficient permissions vulnerability in setSecureFolderPolicy in PersonaManagerService prior to Android T(13) allows local attackers to set some setting value in Secure folder.

CVE-2022-39894 [LOW] CWE-284 CVE-2022-39894: Improper access control vulnerability in ContactListStartActivityHelper in Phone prior to SMR Dec-20 Improper access control vulnerability in ContactListStartActivityHelper in Phone prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent.

CVE-2022-39896 [LOW] CWE-284 CVE-2022-39896: Improper access control vulnerabilities in Contacts prior to SMR Dec-2022 Release 1 allows to access Improper access control vulnerabilities in Contacts prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent.

CVE-2022-39881 [CRITICAL] CWE-20 CVE-2022-39881: Improper input validation vulnerability for processing SIB12 PDU in Exynos modems prior to SMR Sep-2 Improper input validation vulnerability for processing SIB12 PDU in Exynos modems prior to SMR Sep-2022 Release allows remote attacker to read out of bounds memory.

CVE-2022-39880 [HIGH] CWE-20 CVE-2022-39880: Improper input validation vulnerability in DualOutFocusViewer prior to SMR Nov-2022 Release 1 allows Improper input validation vulnerability in DualOutFocusViewer prior to SMR Nov-2022 Release 1 allows local attacker to perform an arbitrary code execution.

CVE-2022-39883 [HIGH] CWE-285 CVE-2022-39883: Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows local attacker to call privileged API.

CVE-2022-39882 [HIGH] CWE-787 CVE-2022-39882: Heap overflow vulnerability in sflacf_fal_bytes_peek function in libsmat.so library prior to SMR Nov Heap overflow vulnerability in sflacf_fal_bytes_peek function in libsmat.so library prior to SMR Nov-2022 Release 1 allows local attacker to execute arbitrary code.

CVE-2022-39886 [LOW] CWE-280 CVE-2022-39886: Improper access control vulnerability in IpcRxServiceModeBigDataInfo in RIL prior to SMR Nov-2022 Re Improper access control vulnerability in IpcRxServiceModeBigDataInfo in RIL prior to SMR Nov-2022 Release 1 allows local attacker to access Device information.

CVE-2022-39885 [LOW] CWE-280 CVE-2022-39885: Improper access control vulnerability in BootCompletedReceiver_CMCC in DeviceManagement prior to SMR Improper access control vulnerability in BootCompletedReceiver_CMCC in DeviceManagement prior to SMR Nov-2022 Release 1 allows local attacker to access to Device information.

CVE-2022-39887 [LOW] CWE-284 CVE-2022-39887: Improper access control vulnerability in clearAllGlobalProxy in MiscPolicy prior to SMR Nov-2022 Rel Improper access control vulnerability in clearAllGlobalProxy in MiscPolicy prior to SMR Nov-2022 Release 1 allows local attacker to configure EDM setting.

CVE-2022-39879 [LOW] CWE-285 CVE-2022-39879: Improper authorization vulnerability in?CallBGProvider prior to SMR Nov-2022 Release 1 allows local Improper authorization vulnerability in?CallBGProvider prior to SMR Nov-2022 Release 1 allows local attacker to grant permission for accessing information with phone uid.