search

Nivaskumark / packages_apps_Settings_CVE-2020-0188_A10_R33

Other
0 stars 0 forks source link

Settingsandroid-10.0.0_r41: 20 vulnerabilities (highest severity is: 9.8) #2

Open mend-bolt-for-github[bot] opened 2 years ago

mend-bolt-for-github[bot] commented 2 years ago
Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Vulnerable Source Files (1)

/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Settingsandroid version) Remediation Possible**
CVE-2023-20946 Critical 9.8 Settingsandroid-10.0.0_r41 Direct N/A
CVE-2023-20960 High 8.8 Settingsandroid-10.0.0_r41 Direct android-13.0.0_r32
CVE-2022-20347 High 8.8 Settingsandroid-10.0.0_r41 Direct N/A
CVE-2020-0416 High 8.8 Settingsandroid-10.0.0_r41 Direct N/A
CVE-2023-21256 High 7.8 Settingsandroid-10.0.0_r41 Direct android-13.0.0_r57
CVE-2023-20959 High 7.8 Settingsandroid-10.0.0_r41 Direct android-13.0.0_r32
CVE-2022-20223 High 7.8 Settingsandroid-10.0.0_r41 Direct android-12.1.0_r9
CVE-2021-39707 High 7.8 Settingsandroid-10.0.0_r41 Direct android-12.1.0_r1
CVE-2021-0505 High 7.8 Settingsandroid-10.0.0_r41 Direct android-11.0.0_r38
CVE-2021-0481 High 7.8 Settingsandroid-10.0.0_r41 Direct android-11.0.0_r36
CVE-2021-0305 High 7.8 Settingsandroid-10.0.0_r41 Direct N/A
CVE-2020-0219 High 7.8 Settingsandroid-10.0.0_r41 Direct android-10.0.0_r37
CVE-2021-0331 High 7.3 Settingsandroid-10.0.0_r41 Direct android-11.0.0_r29
CVE-2020-0133 High 7.3 Settingsandroid-10.0.0_r41 Direct android-10.0.0_r37
CVE-2023-21016 Medium 5.5 Settingsandroid-10.0.0_r41 Direct android-13.0.0_r32
CVE-2023-20962 Medium 5.5 Settingsandroid-10.0.0_r41 Direct android-13.0.0_r32
CVE-2022-20515 Medium 5.5 Settingsandroid-10.0.0_r41 Direct android-13.0.0_r16
CVE-2022-20396 Medium 5.5 Settingsandroid-10.0.0_r41 Direct android-13.0.0_r4
CVE-2022-20350 Medium 5.5 Settingsandroid-10.0.0_r41 Direct N/A
CVE-2022-20112 Medium 5.5 Settingsandroid-10.0.0_r41 Direct android-12.1.0_r5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-20946 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/connecteddevice/BluetoothDashboardFragment.java

### Vulnerability Details

In onStart of BluetoothSwitchPreferenceController.java, there is a possible permission bypass due to a confused deputy. This could lead to remote escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-244423101

Publish Date: 2023-02-28

URL: CVE-2023-20946

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-20960 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/homepage/SettingsHomepageActivity.java

### Vulnerability Details

In launchDeepLinkIntentToRight of SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12L Android-13Android ID: A-250589026

Publish Date: 2023-03-24

URL: CVE-2023-20960

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/docs/security/bulletin/2023-03-01

Release Date: 2023-03-24

Fix Resolution: android-13.0.0_r32

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-20347 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java

### Vulnerability Details

In onAttach of ConnectedDeviceDashboardFragment.java, there is a possible permission bypass due to a confused deputy. This could lead to remote escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228450811

Publish Date: 2022-08-10

URL: CVE-2022-20347

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-0416 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/widget/AppSwitchPreference.java

### Vulnerability Details

In multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.0 Android-8.1Android ID: A-155288585

Publish Date: 2020-10-14

URL: CVE-2020-0416

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-21256 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/homepage/SettingsHomepageActivity.java

### Vulnerability Details

In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Publish Date: 2023-07-13

URL: CVE-2023-21256

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-21256

Release Date: 2023-07-12

Fix Resolution: android-13.0.0_r57

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-20959 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/users/UserSettings.java

### Vulnerability Details

In AddSupervisedUserActivity, guest users are not prevented from starting the activity due to missing permissions checks. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-249057848

Publish Date: 2023-03-24

URL: CVE-2023-20959

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/ee476cab1832f7aaa1b0dba429012ee7e15163b9

Release Date: 2023-03-24

Fix Resolution: android-13.0.0_r32

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-20223 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/users/AppRestrictionsFragment.java

### Vulnerability Details

In assertSafeToStartCustomActivity of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-223578534

Publish Date: 2022-07-13

URL: CVE-2022-20223

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/abadb382114fa8af5209295c9bae2ca2b08935f3

Release Date: 2022-07-13

Fix Resolution: android-12.1.0_r9

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-39707 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/users/AppRestrictionsFragment.java

### Vulnerability Details

In onReceive of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-200688991

Publish Date: 2022-03-16

URL: CVE-2021-39707

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2022-03-01

Release Date: 2022-03-16

Fix Resolution: android-12.1.0_r1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-0505 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/vpn2/AppPreference.java

### Vulnerability Details

In the Settings app, there is a possible way to disable an always-on VPN due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-179975048

Publish Date: 2021-06-21

URL: CVE-2021-0505

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2021-06-01

Release Date: 2021-06-21

Fix Resolution: android-11.0.0_r38

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-0481 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/users/EditUserPhotoController.java

### Vulnerability Details

In onActivityResult of EditUserPhotoController.java, there is a possible access of unauthorized files due to an unexpected URI handler. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-172939189

Publish Date: 2021-06-11

URL: CVE-2021-0481

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2021-05-01

Release Date: 2021-06-11

Fix Resolution: android-11.0.0_r36

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-0305 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/notification/ZenAccessSettings.java

### Vulnerability Details

In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-154015447

Publish Date: 2021-02-10

URL: CVE-2021-0305

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-0219 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/slices/SliceDeepLinkSpringBoard.java

### Vulnerability Details

In onCreate of SliceDeepLinkSpringBoard.java there is a possible insecure Intent. This could lead to local elevation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-122836081

Publish Date: 2020-06-11

URL: CVE-2020-0219

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0219

Release Date: 2020-06-11

Fix Resolution: android-10.0.0_r37

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-0331 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java

### Vulnerability Details

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value. This could lead to local escalation of privilege and notification access with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-170731783

Publish Date: 2021-02-10

URL: CVE-2021-0331

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2021-02-01

Release Date: 2021-02-10

Fix Resolution: android-11.0.0_r29

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-0133 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/development/MockLocationAppPreferenceController.java

### Vulnerability Details

In MockLocationAppPreferenceController.java, it is possible to mock the GPS location of the device due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145136060

Publish Date: 2020-06-11

URL: CVE-2020-0133

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/refs/tags/android-10.0.0_r37

Release Date: 2020-06-11

Fix Resolution: android-10.0.0_r37

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-21016 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/accounts/AccountTypePreference.java

### Vulnerability Details

In AccountTypePreference of AccountTypePreference.java, there is a possible way to mislead the user about accounts installed on the device due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-213905884

Publish Date: 2023-03-24

URL: CVE-2023-21016

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/a52ba15823678bc6f387b20374c6a37ad5cde5c3

Release Date: 2023-03-24

Fix Resolution: android-13.0.0_r32

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-20962 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/notification/MediaVolumePreferenceController.java

### Vulnerability Details

In getSliceEndItem of MediaVolumePreferenceController.java, there is a possible way to start foreground activity from the background due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-256590210

Publish Date: 2023-03-24

URL: CVE-2023-20962

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/09a6899fc2271d260ec2979b1afc8eef1847b34a

Release Date: 2023-03-24

Fix Resolution: android-13.0.0_r32

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-20515 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/accounts/AccountTypePreferenceLoader.java

### Vulnerability Details

In onPreferenceClick of AccountTypePreferenceLoader.java, there is a possible way to retrieve protected files from the Settings app due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-220733496

Publish Date: 2022-12-16

URL: CVE-2022-20515

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://android.googlesource.com/platform/packages/apps/Settings/+/2c1b1aa81346c68179a88bad31f23ed976517954

Release Date: 2022-12-16

Fix Resolution: android-13.0.0_r16

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-20396 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java

### Vulnerability Details

In SettingsActivity.java, there is a possible way to make a device discoverable over Bluetooth, without permission or user interaction, due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12L Android-13Android ID: A-234440688

Publish Date: 2022-09-13

URL: CVE-2022-20396

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/docs/security/bulletin/2022-09-01

Release Date: 2022-09-13

Fix Resolution: android-13.0.0_r4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-20350 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java

### Vulnerability Details

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way to trick the victim to grant notification access to the wrong app due to improper input validation. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228178437

Publish Date: 2022-08-10

URL: CVE-2022-20350

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-20112 ### Vulnerable Library - Settingsandroid-10.0.0_r41

Library home page: https://android.googlesource.com/platform/packages/apps/Settings

Found in HEAD commit: f0bee7548e0ea27e50193e8bd5c65de6c342fcfe

Found in base branch: master

### Vulnerable Source Files (1)

/src/com/android/settings/network/PrivateDnsPreferenceController.java

### Vulnerability Details

In getAvailabilityStatus of PrivateDnsPreferenceController.java, there is a possible way for a guest user to change private DNS settings due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-206987762

Publish Date: 2022-05-10

URL: CVE-2022-20112

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2022-05-01

Release Date: 2022-05-10

Fix Resolution: android-12.1.0_r5

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-bolt-for-github[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.