CVE-2024-43089

Published: Nov 13, 2024Modified: Dec 17, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In updateInternal of MediaProvider.java , there is a possible access of another app's files due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected (5)

Products: Google: Android

1 product

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 12.0
Google Android	Version 12.1
Google Android	Version 13.0
Google Android	Version 14.0
Google Android	Version 15.0

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://android.googlesource.com/platform/packages/providers/MediaProvider/+/33ff6a663eea1fcdd2b422b98722c1dee48a7f6a

Source: security@android.com

Mailing ListPatch

https://source.android.com/security/bulletin/2024-11-01

Source: security@android.com

PatchVendor Advisory

Timeline

No history available yet.