Vulnerability Details : CVE-2009-1754
The PackageManagerService class in services/java/com/android/server/PackageManagerService.java in Android 1.5 through 1.5 CRB42 does not properly check developer certificates during processing of sharedUserId requests at an application's installation time, which allows remote user-assisted attackers to access application data by creating a package that specifies a shared user ID with an arbitrary application.
Vulnerability category: BypassGain privilege
Products affected by CVE-2009-1754
- cpe:2.3:o:google:android:1.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-1754
0.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-1754
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2009-1754
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-1754
-
http://www.securityfocus.com/archive/1/503770
-
http://www.securityfocus.com/bid/35090
-
http://www.openwall.com/lists/oss-security/2009/05/22/14
-
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=5d6d773fab559fdc12e553d60d789f3991ac552c
Patch;Vendor Advisory
-
http://www.ocert.org/advisories/ocert-2009-006.html
Patch
Jump to