Lucene search

GoogleOSV:ASB-A-240685104

HistoryNov 01, 2022 - 12:00 a.m.

Path traversal in MmsProvider#update leading to permanent DoS

2022-11-0100:00:00

Google

osv.dev

mmsprovider

directory permissions

denial of service

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

In update of MmsProvider.java, there is a possible constriction of directory permissions due to a path traversal error. This could lead to local denial of service of SIM recognition with no additional execution privileges needed. User interaction is needed for exploitation.

CPENameOperatorVersion
platform/packages/providers/telephonyprovidereq12
platform/packages/providers/telephonyprovidereq12L
platform/packages/providers/telephonyprovidereq11
platform/packages/providers/telephonyprovidereq13
platform/packages/providers/telephonyprovidereq10

Name	Operator	Version
platform/packages/providers/telephonyprovider	eq	12
platform/packages/providers/telephonyprovider	eq	12L
platform/packages/providers/telephonyprovider	eq	11
platform/packages/providers/telephonyprovider	eq	13
platform/packages/providers/telephonyprovider	eq	10

References

android.googlesource.com/platform/packages/providers/TelephonyProvider/+/fc6557b9bf18d71b0f496f7302c47feeaa3fc5e2

source.android.com/security/bulletin/2022-11-01

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

Related for OSV:ASB-A-240685104