Lucene search

[email protected]NVD:CVE-2022-29580

HistoryDec 13, 2022 - 3:15 p.m.

CVE-2022-29580

2022-12-1315:15:10

CWE-22

CWE-427

[email protected]

web.nvd.nist.gov

android

google search

path traversal

vulnerability

code execution

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

25.4%

JSON

There exists a path traversal vulnerability in the Android Google Search app. This is caused by the incorrect usage of uri.getLastPathSegment. A symbolic encoded string can bypass the path logic to get access to unintended directories. An attacker can manipulate paths that could lead to code execution on the device. We recommend upgrading beyond version 13.41

Affected configurations

Nvd

Node

googlegoogle_searchRange<13.41android

VendorProductVersionCPE
googlegoogle_search*cpe:2.3:a:google:google_search:*:*:*:*:*:android:*:*

Vendor	Product	Version	CPE
google	google_search	*	cpe:2.3:a:google:google_search::::::android::*

References

support.google.com/faqs/answer/7496913?hl=en

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

25.4%

JSON

Related for NVD:CVE-2022-29580

cvelist1 prion1 cve1