CVE-2021-25393

Published: Jun 11, 2021Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid data.

Affected (2)

Products: Google: Android

Google

1 product

Android

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 10.0
Google Android	Version 11.0

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/

Source: mobile.security@samsung.com

ExploitThird Party Advisory

https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5

Source: mobile.security@samsung.com

Vendor Advisory

https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.