Lucene search

[email protected]CVE-2022-1230

HistoryMar 28, 2023 - 7:15 p.m.

CVE-2022-1230

2023-03-2819:15:10

CWE-601

[email protected]

web.nvd.nist.gov

samsung galaxy s21

cve-2022-1230

arbitrary code execution

local attackers

vulnerability

nvd

zdi-can-15918

3.9 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

4.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.9%

JSON

This vulnerability allows local attackers to execute arbitrary code on affected installations of Samsung Galaxy S21 prior to 4.5.40.5 phones. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of redirections. An attacker can force a redirection to a site that serves malicious content. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the current user. Was ZDI-CAN-15918.

Affected configurations

NVD

Node

samsunggalaxy_s21_firmwareRange<4.5.40.5

AND

samsunggalaxy_s21Match-

CPENameOperatorVersion
samsung:galaxy_s21_firmwaresamsung galaxy s21 firmwarelt4.5.40.5

CPE	Name	Operator	Version
samsung:galaxy_s21_firmware	samsung galaxy s21 firmware	lt	4.5.40.5

CNA Affected

[
  {
    "vendor": "Samsung",
    "product": "Galaxy S21",
    "versions": [
      {
        "version": "prior to 4.5.40.5",
        "status": "affected"
      }
    ]
  }
]

References

security.samsungmobile.com/serviceWeb.smsb

www.zerodayinitiative.com/advisories/ZDI-22-621/