Missing Authorization
CVE-2021-0986
Summary
In hasGrantedPolicy of DevicePolicyManagerService.java, there is a possible information disclosure about the device owner, profile owner, or device admin due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192247339
- LOW
- LOCAL
- NONE
- UNCHANGED
- NONE
- LOW
- HIGH
- NONE
CWE-862 - Missing Authorization
The missing authorization vulnerability occurs when a software program allows users to access privileged parts of the program without verifying the user credentials. Impact of such a vulnerability depends on the resources employed by the software, ranging from account takeover to sensitive information exposure, denial of service, and complete system takeover.
References
Advisory Timeline
- Published