Lucene search

MitreCVE-2014-8609

HistoryDec 15, 2014 - 6:59 p.m.

CVE-2014-8609

2014-12-1518:59:18

CWE-264

mitre

web.nvd.nist.gov

android

settings

addaccount

pendingintent

system uid

bug 17356824

nvd

cve-2014-8609

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

42.2%

JSON

The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824.

Affected configurations

Nvd

Node

googleandroidRange≤4.4.4

googleandroidMatch4.0

googleandroidMatch4.0.1

googleandroidMatch4.0.2

googleandroidMatch4.0.3

googleandroidMatch4.0.4

googleandroidMatch4.1

googleandroidMatch4.1.2

googleandroidMatch4.2

googleandroidMatch4.2.1

googleandroidMatch4.2.2

googleandroidMatch4.3

googleandroidMatch4.3.1

googleandroidMatch4.4

googleandroidMatch4.4.1

googleandroidMatch4.4.2

googleandroidMatch4.4.3

VendorProductVersionCPE
googleandroid*cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
googleandroid4.0cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*
googleandroid4.0.1cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*
googleandroid4.0.2cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*
googleandroid4.0.3cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*
googleandroid4.0.4cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*
googleandroid4.1cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*
googleandroid4.1.2cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*
googleandroid4.2cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*
googleandroid4.2.1cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
google	android	*	cpe:2.3:o:google:android::::::::
google	android	4.0	cpe:2.3:o:google:android:4.0:::::::*
google	android	4.0.1	cpe:2.3:o:google:android:4.0.1:::::::*
google	android	4.0.2	cpe:2.3:o:google:android:4.0.2:::::::*
google	android	4.0.3	cpe:2.3:o:google:android:4.0.3:::::::*
google	android	4.0.4	cpe:2.3:o:google:android:4.0.4:::::::*
google	android	4.1	cpe:2.3:o:google:android:4.1:::::::*
google	android	4.1.2	cpe:2.3:o:google:android:4.1.2:::::::*
google	android	4.2	cpe:2.3:o:google:android:4.2:::::::*
google	android	4.2.1	cpe:2.3:o:google:android:4.2.1:::::::*

Rows per page:

1-10 of 171

References

packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html

seclists.org/fulldisclosure/2014/Nov/81

xteam.baidu.com/?p=158

android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

42.2%

JSON

Related for CVE-2014-8609