Open mend-bolt-for-github[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - Settingsandroid-10.0.0_r41
Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Vulnerable Source Files (1)
/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-20946
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/connecteddevice/BluetoothDashboardFragment.java
### Vulnerability DetailsIn onStart of BluetoothSwitchPreferenceController.java, there is a possible permission bypass due to a confused deputy. This could lead to remote escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-244423101
Publish Date: 2023-02-28
URL: CVE-2023-20946
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2023-20960
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/homepage/SettingsHomepageActivity.java
### Vulnerability DetailsIn launchDeepLinkIntentToRight of SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12L Android-13Android ID: A-250589026
Publish Date: 2023-03-24
URL: CVE-2023-20960
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://source.android.com/docs/security/bulletin/2023-03-01
Release Date: 2023-03-24
Fix Resolution: android-13.0.0_r32
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-20347
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java
### Vulnerability DetailsIn onAttach of ConnectedDeviceDashboardFragment.java, there is a possible permission bypass due to a confused deputy. This could lead to remote escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228450811
Publish Date: 2022-08-10
URL: CVE-2022-20347
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2020-0416
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/widget/AppSwitchPreference.java
### Vulnerability DetailsIn multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.0 Android-8.1Android ID: A-155288585
Publish Date: 2020-10-14
URL: CVE-2020-0416
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2023-21256
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/homepage/SettingsHomepageActivity.java
### Vulnerability DetailsIn SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
Publish Date: 2023-07-13
URL: CVE-2023-21256
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-21256
Release Date: 2023-07-12
Fix Resolution: android-13.0.0_r57
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2023-20959
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/users/UserSettings.java
### Vulnerability DetailsIn AddSupervisedUserActivity, guest users are not prevented from starting the activity due to missing permissions checks. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-249057848
Publish Date: 2023-03-24
URL: CVE-2023-20959
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/ee476cab1832f7aaa1b0dba429012ee7e15163b9
Release Date: 2023-03-24
Fix Resolution: android-13.0.0_r32
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-20223
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/users/AppRestrictionsFragment.java
### Vulnerability DetailsIn assertSafeToStartCustomActivity of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-223578534
Publish Date: 2022-07-13
URL: CVE-2022-20223
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/abadb382114fa8af5209295c9bae2ca2b08935f3
Release Date: 2022-07-13
Fix Resolution: android-12.1.0_r9
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-39707
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/users/AppRestrictionsFragment.java
### Vulnerability DetailsIn onReceive of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-200688991
Publish Date: 2022-03-16
URL: CVE-2021-39707
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://source.android.com/security/bulletin/2022-03-01
Release Date: 2022-03-16
Fix Resolution: android-12.1.0_r1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-0505
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/vpn2/AppPreference.java
### Vulnerability DetailsIn the Settings app, there is a possible way to disable an always-on VPN due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-179975048
Publish Date: 2021-06-21
URL: CVE-2021-0505
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://source.android.com/security/bulletin/2021-06-01
Release Date: 2021-06-21
Fix Resolution: android-11.0.0_r38
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-0481
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/users/EditUserPhotoController.java
### Vulnerability DetailsIn onActivityResult of EditUserPhotoController.java, there is a possible access of unauthorized files due to an unexpected URI handler. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-172939189
Publish Date: 2021-06-11
URL: CVE-2021-0481
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://source.android.com/security/bulletin/2021-05-01
Release Date: 2021-06-11
Fix Resolution: android-11.0.0_r36
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-0305
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/notification/ZenAccessSettings.java
### Vulnerability DetailsIn PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-154015447
Publish Date: 2021-02-10
URL: CVE-2021-0305
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2020-0219
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/slices/SliceDeepLinkSpringBoard.java
### Vulnerability DetailsIn onCreate of SliceDeepLinkSpringBoard.java there is a possible insecure Intent. This could lead to local elevation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-122836081
Publish Date: 2020-06-11
URL: CVE-2020-0219
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0219
Release Date: 2020-06-11
Fix Resolution: android-10.0.0_r37
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-0331
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java
### Vulnerability DetailsIn onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value. This could lead to local escalation of privilege and notification access with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-170731783
Publish Date: 2021-02-10
URL: CVE-2021-0331
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://source.android.com/security/bulletin/2021-02-01
Release Date: 2021-02-10
Fix Resolution: android-11.0.0_r29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2020-0133
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/development/MockLocationAppPreferenceController.java
### Vulnerability DetailsIn MockLocationAppPreferenceController.java, it is possible to mock the GPS location of the device due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145136060
Publish Date: 2020-06-11
URL: CVE-2020-0133
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/refs/tags/android-10.0.0_r37
Release Date: 2020-06-11
Fix Resolution: android-10.0.0_r37
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2023-21016
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/accounts/AccountTypePreference.java
### Vulnerability DetailsIn AccountTypePreference of AccountTypePreference.java, there is a possible way to mislead the user about accounts installed on the device due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-213905884
Publish Date: 2023-03-24
URL: CVE-2023-21016
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/a52ba15823678bc6f387b20374c6a37ad5cde5c3
Release Date: 2023-03-24
Fix Resolution: android-13.0.0_r32
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2023-20962
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/notification/MediaVolumePreferenceController.java
### Vulnerability DetailsIn getSliceEndItem of MediaVolumePreferenceController.java, there is a possible way to start foreground activity from the background due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-256590210
Publish Date: 2023-03-24
URL: CVE-2023-20962
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/09a6899fc2271d260ec2979b1afc8eef1847b34a
Release Date: 2023-03-24
Fix Resolution: android-13.0.0_r32
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-20515
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
### Vulnerability DetailsIn onPreferenceClick of AccountTypePreferenceLoader.java, there is a possible way to retrieve protected files from the Settings app due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-220733496
Publish Date: 2022-12-16
URL: CVE-2022-20515
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/2c1b1aa81346c68179a88bad31f23ed976517954
Release Date: 2022-12-16
Fix Resolution: android-13.0.0_r16
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-20396
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java
### Vulnerability DetailsIn SettingsActivity.java, there is a possible way to make a device discoverable over Bluetooth, without permission or user interaction, due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12L Android-13Android ID: A-234440688
Publish Date: 2022-09-13
URL: CVE-2022-20396
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://source.android.com/docs/security/bulletin/2022-09-01
Release Date: 2022-09-13
Fix Resolution: android-13.0.0_r4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-20350
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java
### Vulnerability DetailsIn onCreate of NotificationAccessConfirmationActivity.java, there is a possible way to trick the victim to grant notification access to the wrong app due to improper input validation. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228178437
Publish Date: 2022-08-10
URL: CVE-2022-20350
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-20112
### Vulnerable Library - Settingsandroid-10.0.0_r41Library home page: https://android.googlesource.com/platform/packages/apps/Settings
Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe
Found in base branch: master
### Vulnerable Source Files (1)/src/com/android/settings/network/PrivateDnsPreferenceController.java
### Vulnerability DetailsIn getAvailabilityStatus of PrivateDnsPreferenceController.java, there is a possible way for a guest user to change private DNS settings due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-206987762
Publish Date: 2022-05-10
URL: CVE-2022-20112
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://source.android.com/security/bulletin/2022-05-01
Release Date: 2022-05-10
Fix Resolution: android-12.1.0_r5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)