ivyv19
commented
6 months ago Update: This finding has been marked as no longer dismissed by Ivy Valenzuela. Additional action is required.
Powered by NowSecure Platform
Open ivyv19 opened 6 months ago
ivyv19
commented
6 months ago Update: This finding has been marked as no longer dismissed by Ivy Valenzuela. Additional action is required.
Powered by NowSecure Platform
ivyv19
commented
6 months ago Update: This finding has been dismissed by Ivy Valenzuela with reason "custom" and note "hello world". No additional action is required.
Powered by NowSecure Platform
ivyv19
commented
6 months ago Update: This finding has been marked as no longer dismissed by Ivy Valenzuela. Additional action is required.
Powered by NowSecure Platform
ivyv19
commented
6 months ago Update: This finding has been dismissed by Ivy Valenzuela with reason "custom" and note "hello world". No additional action is required.
Powered by NowSecure Platform
ivyv19
commented
6 months ago Update: This finding has been marked as no longer dismissed by Ivy Valenzuela. Additional action is required.
Powered by NowSecure Platform
ivyv19
commented
6 months ago Update: This finding has been dismissed by Ivy Valenzuela with reason "custom" and note "hello world". No additional action is required.
Powered by NowSecure Platform
ivyv19
commented
6 months ago Update: This finding has been marked as no longer dismissed by Ivy Valenzuela. Additional action is required.
Powered by NowSecure Platform
ivyv19
commented
6 months ago Update: This finding has been dismissed by Ivy Valenzuela with reason "custom" and note "hello world". No additional action is required.
Powered by NowSecure Platform
ivyv19
commented
6 months ago Update: This finding has been marked as no longer dismissed by Ivy Valenzuela. Additional action is required.
Powered by NowSecure Platform
Finding Description
The app uses a vulnerable version of the play-services-basement library.
The play-services-basement library in versions prior to 18.0.2 is affected by CVE-2022-2390. Apps that were developed using this version of Google Play Services SDK were incorrectly having the mutability flag set to Pending Intents, which were being passed to the Notification service, which can lead to unintended access.
Steps to Reproduce
This test generates a software bill of materials (SBOM) for the app and checks if it contains vulnerable versions of the play-services-base library.
Business Impact
Depending on how the library is used, this could lead to an attacker gaining access to all non-exported providers and/or gain access to other providers the victim has permissions for.
These versions will potentially prevent the app from being published to the Google Play Store.
Remediation Resources
The evidence table shows all vulnerable instances of the play-services-basement library:
When inspecting the affected instances, please consider the following:
Update the version of all vulnerable instances of the play-services-basement library to version 18.0.2 or greater. Note that the affected instances might be a direct package dependency of your app or a dependency of a third-party library included in your project. If that's the case, you should update the third-party library or use a different one.
The Android Developers website describes how to get a list of all dependencies. Some included libraries also have their own dependencies, these steps identify them:
After Gradle executes the task, the Run window should open to display the output. In the case of a transitive dependency, it may be necessary to update the version of the parent library directly included in the app in order to update the vulnerable library.
Risk and Regulatory Information
Severity: medium
CVSS: 6.1
Policy Category: Needs Remediation
Application
See more detail in the NowSecure Report
Evidence
#### Found Uses of Known Vulnerable play-services-basement Version |Version|Source| |---|---| |17.4.0|/base.apkplay-services-basement.properties|