CVE-2022-23835

Published: Feb 25, 2022Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a "concrete and exploitable risk.

Affected (1)

Products: Visual Voice Mail Project: Visual Voice Mail

Visual Voice Mail Project

1 product

Visual Voice Mail

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Visual Voice Mail Project Visual Voice Mail	Up to 2022-02-24

Related CWEs

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (4)

https://gitlab.com/kop316/vvm-disclosure

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.kb.cert.org/vuls/id/383864

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

https://gitlab.com/kop316/vvm-disclosure

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.kb.cert.org/vuls/id/383864

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.