Lucene search

[email protected]CVE-2015-3858

HistoryOct 01, 2015 - 12:59 a.m.

CVE-2015-3858

2015-10-0100:59:27

CWE-264

[email protected]

web.nvd.nist.gov

android

sms short-code

authorization check

cve-2015-3858

nvd

security vulnerability

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

23.3%

JSON

The checkDestination function in internal/telephony/SMSDispatcher.java in Android before 5.1.1 LMY48M relies on an obsolete permission name for an authorization check, which allows attackers to bypass an intended user-confirmation requirement for SMS short-code messaging via a crafted application, aka internal bug 22314646.

Affected configurations

NVD

Node

googleandroidRange≤5.1

CPENameOperatorVersion
google:androidgoogle androidle5.1

CPE	Name	Operator	Version
google:android	google android	le	5.1

References

android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586

groups.google.com/forum/message/raw?msg=android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

23.3%

JSON

Related for CVE-2015-3858

prion1 nvd1 cvelist1 androidsecurity1