| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-14783 |
264 |
|
|
2019-08-08 |
2019-09-25 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, FotaAgent allows a malicious application to create privileged files. The Samsung ID is SVE-2019-14764. |
|
2 |
CVE-2019-9455 |
200 |
|
+Info |
2019-09-06 |
2019-09-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the Android kernel in the video driver there is a kernel pointer leak due to a WARN_ON statement. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. |
|
3 |
CVE-2019-9453 |
20 |
|
|
2019-09-06 |
2019-09-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the Android kernel in F2FS touch driver there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation. |
|
4 |
CVE-2019-9452 |
125 |
|
|
2019-09-06 |
2019-09-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the Android kernel in SEC_TS touch driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. |
|
5 |
CVE-2019-9449 |
125 |
|
|
2019-09-06 |
2019-09-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the Android kernel in FingerTipS touchscreen driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation. |
|
6 |
CVE-2019-9445 |
125 |
|
|
2019-09-06 |
2019-09-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation. |
|
7 |
CVE-2019-9444 |
200 |
|
+Info |
2019-09-06 |
2019-09-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the Android kernel in sync debug fs driver there is a kernel pointer leak due to the usage of printf with %p. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation. |
|
8 |
CVE-2019-9440 |
610 |
|
|
2019-09-27 |
2019-10-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In AOSP Email, there is a possible information disclosure due to a confused deputy. This could lead to local disclosure of the Email app's protected files with User execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-37637796 |
|
9 |
CVE-2019-9438 |
610 |
|
|
2019-09-27 |
2019-10-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the Package Manager service, there is a possible information disclosure due to a confused deputy. This could lead to local disclosure of information about installed packages for other users with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-77821568 |
|
10 |
CVE-2019-9435 |
125 |
|
|
2019-09-27 |
2019-09-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80146682 |
|
11 |
CVE-2019-9427 |
416 |
|
|
2019-09-27 |
2019-10-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Bluetooth, there is a possible information disclosure due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-110166350 |
|
12 |
CVE-2019-9417 |
125 |
|
|
2019-09-27 |
2019-09-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111450079 |
|
13 |
CVE-2019-9377 |
862 |
|
Bypass |
2019-09-27 |
2019-10-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FingerprintService, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to a local information disclosure of metadata about the biometrics of another user on the device with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599663 |
|
14 |
CVE-2019-9373 |
502 |
|
DoS |
2019-09-27 |
2019-10-03 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In JobStore, there is a mismatched serialization/deserialization for the "battery-not-low" job attribute. This could lead to a local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-130173029 |
|
15 |
CVE-2019-9369 |
1187 |
|
|
2019-09-27 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Bluetooth, there is a use of uninitialized variable. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-79995407 |
|
16 |
CVE-2019-9368 |
125 |
|
|
2019-09-27 |
2019-09-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-79883568 |
|
17 |
CVE-2019-9364 |
732 |
|
Bypass |
2019-09-27 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In AudioService, there is a possible trigger of background user audio due to a permissions bypass. This could lead to local information disclosure by playing the background user's audio with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-73364631 |
|
18 |
CVE-2019-9351 |
862 |
|
Bypass |
2019-09-27 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In SyncStatusObserver, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to local limited information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599864 |
|
19 |
CVE-2019-9347 |
416 |
|
Exec Code |
2019-09-27 |
2019-10-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the m4v_h263 codec, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109891727 |
|
20 |
CVE-2019-9312 |
125 |
|
|
2019-09-27 |
2019-10-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-78288018 |
|
21 |
CVE-2019-9292 |
610 |
|
|
2019-09-27 |
2019-10-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the Activity Manager service, there is a possible information disclosure due to a confused deputy. This could lead to local disclosure of current foreground process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115384617 |
|
22 |
CVE-2019-9289 |
125 |
|
|
2019-09-27 |
2019-10-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-79883824 |
|
23 |
CVE-2019-9287 |
125 |
|
|
2019-09-27 |
2019-10-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-78287084 |
|
24 |
CVE-2019-9280 |
732 |
|
Bypass |
2019-09-27 |
2019-10-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
In keyguard, there is a possible escalation of privilege due to improper permission checks. This could lead to a local bypass of the keyguard under limited circumstances, with User execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-119322269 |
|
25 |
CVE-2019-9277 |
532 |
|
|
2019-09-27 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the proc filesystem, there is a possible information disclosure due to log information disclosure. This could lead to local disclosure of app and browser activity with User execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-68016944 |
|
26 |
CVE-2019-9272 |
732 |
|
Bypass +Info |
2019-09-27 |
2019-09-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In WiFi, there is a possible leak of WiFi state due to a permissions bypass. This could lead to a local information disclosure which could be used to determine device location with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-11596047 |
|
27 |
CVE-2019-9268 |
416 |
|
|
2019-09-27 |
2019-10-04 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In libstagefright, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the media server with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-77474014 |
|
28 |
CVE-2019-9249 |
125 |
|
|
2019-09-27 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120255805 |
|
29 |
CVE-2019-9245 |
125 |
|
|
2019-09-06 |
2019-09-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In the Android kernel in the f2fs driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. |
|
30 |
CVE-2019-9243 |
125 |
|
|
2019-09-27 |
2019-10-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In wpa_supplicant_8, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120905706 |
|
31 |
CVE-2019-5804 |
77 |
|
|
2019-05-23 |
2019-06-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Incorrect command line processing in Chrome in Google Chrome prior to 73.0.3683.75 allowed a local attacker to perform domain spoofing via a crafted domain name. |
|
32 |
CVE-2019-2191 |
200 |
|
+Info |
2019-09-27 |
2019-10-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In LG's LAF component, there is a possible leak of information in a protected disk partition due to a missing bounds check. This could lead to local information disclosure via USB with User execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-68770980 |
|
33 |
CVE-2019-2190 |
200 |
|
+Info |
2019-09-27 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In LG's LAF component, there is a possible leak of information in a protected disk partition due to a missing bounds check. This could lead to local information disclosure via USB with User execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-68771598 |
|
34 |
CVE-2019-2180 |
20 |
|
|
2019-09-05 |
2019-09-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In ippSetValueTag of ipp.c in Android 8.0, 8.1 and 9, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure from the printer service with no additional execution privileges needed. User interaction is not needed for exploitation. |
|
35 |
CVE-2019-2124 |
200 |
|
+Info |
2019-09-05 |
2019-09-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In ComposeActivityEmailExternal of ComposeActivityEmailExternal.java in Android 7.1.1, 7.1.2, 8.0, 8.1 and 9, there is a possible way to silently attach files to an email due to a confused deputy. This could lead to local information disclosure. |
|
36 |
CVE-2019-2119 |
200 |
|
+Info |
2019-07-08 |
2019-07-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In multiple functions of key_store_service.cpp, there is a possible Information Disclosure due to improper locking. This could lead to local information disclosure of protected data with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A-131622568. |
|
37 |
CVE-2019-2118 |
200 |
|
+Info |
2019-07-08 |
2019-07-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In various functions of Parcel.cpp, there are uninitialized or partially initialized stack variables. These could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A-130161842. |
|
38 |
CVE-2019-2117 |
200 |
|
+Info |
2019-07-08 |
2019-07-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In checkQueryPermission of TelephonyProvider.java, there is a possible disclosure of secure data due to a missing permission check. This could lead to local information disclosure about carrier systems with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-124107808. |
|
39 |
CVE-2019-2113 |
264 |
|
Bypass |
2019-07-08 |
2019-07-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
In setup wizard there is a bypass of some checks when wifi connection is skipped. This could lead to factory reset protection bypass with no additional privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-122597079. |
|
40 |
CVE-2019-2104 |
200 |
|
+Info |
2019-07-08 |
2019-07-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In HIDL, safe_union, and other C++ structs/unions being sent to application processes, there are uninitialized fields. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A-131356202 |
|
41 |
CVE-2019-2103 |
200 |
|
Bypass +Info |
2019-09-05 |
2019-09-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In Google Assistant in Android 9, there is a possible permissions bypass that allows the Assistant to take a screenshot of apps with FLAG_SECURE. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. |
|
42 |
CVE-2018-20073 |
200 |
|
+Info |
2019-06-27 |
2019-07-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Use of extended attributes in downloads in Google Chrome prior to 72.0.3626.81 allowed a local attacker to read download URLs via the filesystem. |
|
43 |
CVE-2018-18358 |
20 |
|
|
2018-12-11 |
2019-08-17 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Lack of special casing of localhost in WPAD files in Google Chrome prior to 71.0.3578.80 allowed an attacker on the local network segment to proxy resources on localhost via a crafted WPAD file. |
|
44 |
CVE-2018-16079 |
362 |
|
|
2019-01-09 |
2019-01-15 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
A race condition between permission prompts and navigations in Prompts in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
|
45 |
CVE-2018-16075 |
254 |
|
|
2019-06-27 |
2019-07-01 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Insufficient file type enforcement in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to obtain local file data via a crafted HTML page. |
|
46 |
CVE-2018-9581 |
200 |
|
+Info |
2019-09-27 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In WiFi, the RSSI value and SSID information is broadcast as part of android.net.wifi.RSSI_CHANGE and android.net.wifi.STATE_CHANGE intents. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111698366 |
|
47 |
CVE-2018-9566 |
125 |
|
|
2018-12-06 |
2018-12-31 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
|
In process_service_search_rsp of sdp_discovery.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure when connecting to a malicious Bluetooth device with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-74249842. |
|
48 |
CVE-2018-9554 |
200 |
|
Bypass +Info |
2018-12-06 |
2019-01-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In dumpExtractors of IMediaExtractor.cp, there is a possible disclosure of recently accessed media files due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1. Android ID: A-114770654. |
|
49 |
CVE-2018-9548 |
|
|
Bypass |
2018-12-06 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In multiple functions of ContentProvider.java, there is a possible permission bypass due to a missing URI validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112555574. |
|
50 |
CVE-2018-9544 |
125 |
|
|
2018-11-14 |
2018-12-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In register_app of btif_hd.cc, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure in the Bluetooth service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-113037220 |
