Google » Android : Security Vulnerabilities, CVEs, (Gain Privilege) CVSS score >= 6

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

The vulnerability is the use of implicit PendingIntents without the PendingIntent.FLAG_IMMUTABLE set that leads to theft and/or (over-)write of arbitrary files with system privilege in the Personalized service ("com.lge.abba") app. The attacker's app, if it had access to app notifications, could intercept them and redirect them to its activity, before making it grant access permissions to content providers with the `android:grantUriPermissions="true"` flag.

The vulnerability is the use of implicit PendingIntents with the PendingIntent.FLAG_MUTABLE set that leads to theft and/or (over-)write of arbitrary files with system privilege in the Bluetooth ("com.lge.bluetoothsetting") app. The attacker's app, if it had access to app notifications, could intercept them and redirect them to its activity, before making it grant access permissions to content providers with the `android:grantUriPermissions="true"` flag.

In gatt_process_prep_write_rsp of gatt_cl.cc, there is a possible privilege escalation due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

In (TBD) of (TBD), there is a possible way to bypass the lockscreen due to Biometric Auth Failure. This could lead to local escalation of privilege with physical access to the device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-240428519References: N/A

In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation.

Elevation of privilege

Elevation of privilege

In trusty_ffa_mem_reclaim of shared-mem-smcall.c, there is a possible privilege escalation due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237838301References: N/A

Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows local attacker to call privileged API.

Improper protection in IOMMU prior to SMR Oct-2022 Release 1 allows unauthorized access to secure memory.

In Music service, there is a missing permission check. This could lead to elevation of privilege in Music service with no additional execution privileges needed.

In Music service, there is a missing permission check. This could lead to elevation of privilege in Music service with no additional execution privileges needed.

In Music service, there is a missing permission check. This could lead to elevation of privilege in Music service with no additional execution privileges needed.

In Music service, there is a missing permission check. This could lead to elevation of privilege in Music service with no additional execution privileges needed.

In Soundrecorder service, there is a missing permission check. This could lead to elevation of privilege in Soundrecorder service with no additional execution privileges needed.

In messaging service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.

In messaging service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.

In soundrecorder service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.

In soundrecorder service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.

Improper access control vulnerability in Samsung Dex for PC prior to SMR Aug-2022 Release 1 allows local attackers to scan and connect to PC by unprotected binder call.

Improper access control vulnerability in DesktopSystemUI prior to SMR Aug-2022 Release 1 allows attackers to enable and disable arbitrary components.

Improper access control vulnerability in SemWifiApBroadcastReceiver prior to SMR Aug-2022 Release 1 allows attacker to reset a setting value related to mobile hotspot.

Improper authorization vulnerability in Knoxguard prior to SMR Jul-2022 Release 1 allows local attacker to disable keyguard and bypass Knoxguard lock by factory reset.

Improper access control vulnerability in TelephonyUI prior to SMR Jul-2022 Release 1 allows attackers to change preferred network type by unprotected binder call.