Lucene search

LGECVE-2023-44124

HistorySep 27, 2023 - 3:19 p.m.

CVE-2023-44124

2023-09-2715:19:35

CWE-927

CWE-668

LGE

web.nvd.nist.gov

cve-2023-44124

theft

arbitrary files

screen recording

world-readable storage

system privilege

nvd

vulnerability

implicit intents

interepted

third-party apps

CVSS3

6.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

AI Score

4.5

Confidence

High

EPSS

Percentile

12.7%

JSON

The vulnerability is to theft of arbitrary files with system privilege in the Screen recording (“com.lge.gametools.gamerecorder”) app in the “com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java” file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the “onActivityResult()” method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage.

Affected configurations

Nvd

Node

googleandroidMatch12.0

googleandroidMatch13.0

AND

lgv60_thin_q_5gMatch-

VendorProductVersionCPE
googleandroid12.0cpe:2.3:o:google:android:12.0:*:*:*:*:*:*:*
googleandroid13.0cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*
lgv60_thin_q_5g-cpe:2.3:h:lg:v60_thin_q_5g:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
google	android	12.0	cpe:2.3:o:google:android:12.0:::::::*
google	android	13.0	cpe:2.3:o:google:android:13.0:::::::*
lg	v60_thin_q_5g	-	cpe:2.3:h:lg:v60_thin_q_5g:-:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "LG V60 Thin Q 5G(LMV600VM)",
    "vendor": "LG Electronics",
    "versions": [
      {
        "status": "affected",
        "version": "Android 12, 13"
      }
    ]
  }
]

References

lgsecurity.lge.com/bulletins/mobile#updateDetails