Insufficient Verification of Data Authenticity

CVE-2022-20396

Medium

5.5/10

Summary

In SettingsActivity.java, there is a possible way to make a device discoverable over Bluetooth, without permission or user interaction, due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12L Android-13Android ID: A-234440688

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-345 - Insufficient Verification of Data Authenticity

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References

Advisory Timeline

Published Sep 13, 2022

Insufficient Verification of Data Authenticity

CVE-2022-20396

Summary

CWE-345 - Insufficient Verification of Data Authenticity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS