CVE-2021-0331

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value. This could lead to local escalation of privilege and notification access with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-170731783

CVSS v3 7.3 HIGH
CVSS v2.0 6.9 MEDIUM

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://source.android.com/security/bulletin/2021-02-01	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:google:android:8.1:::::::*
	cpe:2.3:o:google:android:9.0:::::::*
	cpe:2.3:o:google:android:10.0:::::::*
	cpe:2.3:o:google:android:11.0:::::::*

History

12 Feb 2021, 18:06

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.9 v3 : 7.3
CWE		CWE-1021
CPE		cpe:2.3:o:google:android:10.0:::::::* cpe:2.3:o:google:android:8.1:::::::* cpe:2.3:o:google:android:9.0:::::::* cpe:2.3:o:google:android:11.0:::::::*
References	~~(MISC) https://source.android.com/security/bulletin/2021-02-01 -~~	(MISC) https://source.android.com/security/bulletin/2021-02-01 - Patch, Vendor Advisory

10 Feb 2021, 17:51

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-02-10 17:15

Updated : 2023-12-10 13:41

NVD link : CVE-2021-0331

Mitre link : CVE-2021-0331

CVE.ORG link : CVE-2021-0331

JSON object : View

Products Affected

google

android

CWE

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

{"id": "CVE-2021-0331", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}]}, "published": "2021-02-10T17:15:20.367", "references": [{"url": "https://source.android.com/security/bulletin/2021-02-01", "tags": ["Patch", "Vendor Advisory"], "source": "security@android.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1021"}]}], "descriptions": [{"lang": "en", "value": "In onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value. This could lead to local escalation of privilege and notification access with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-170731783"}, {"lang": "es", "value": "En la funci\u00f3n onCreate del archivo NotificationAccessConfirmationActivity.java, se presenta un posible ataque de superposici\u00f3n debido a un valor predeterminado no seguro. Esto podr\u00eda conllevar a una escalada local de privilegios y acceso a notificaciones con privilegios de ejecuci\u00f3n User necesarios. Es requerida una interacci\u00f3n del usuario para su explotaci\u00f3n. Producto: Android, Versiones: Android-9 Android-10 Android-11 Android-8.1, ID de Android: A-170731783"}], "lastModified": "2021-02-12T18:06:36.407", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B06BE74B-83F4-41A3-8AD3-2E6248F7B0B2"}, {"criteria": "cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8DFAAD08-36DA-4C95-8200-C29FE5B6B854"}, {"criteria": "cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D558D965-FA70-4822-A770-419E73BA9ED3"}, {"criteria": "cpe:2.3:o:google:android:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "109DD7FD-3A48-4C3D-8E1A-4433B98E1E64"}], "operator": "OR"}]}], "sourceIdentifier": "security@android.com"}