The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a "concrete and exploitable risk.
References
Link | Resource |
---|---|
https://gitlab.com/kop316/vvm-disclosure | Exploit Third Party Advisory |
https://www.kb.cert.org/vuls/id/383864 | Third Party Advisory US Government Resource |
Configurations
History
07 Nov 2023, 03:44
Type | Values Removed | Values Added |
---|---|---|
Summary | The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a "concrete and exploitable risk. |
10 Mar 2022, 16:38
Type | Values Removed | Values Added |
---|---|---|
First Time |
Visual Voice Mail Project
Visual Voice Mail Project visual Voice Mail |
|
CPE | cpe:2.3:a:visual_voice_mail_project:visual_voice_mail:*:*:*:*:*:android:*:* | |
References | (MISC) https://www.kb.cert.org/vuls/id/383864 - Third Party Advisory, US Government Resource | |
References | (MISC) https://gitlab.com/kop316/vvm-disclosure - Exploit, Third Party Advisory | |
CWE | CWE-668 | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 8.1 |
25 Feb 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-02-25 04:15
Updated : 2024-04-11 01:14
NVD link : CVE-2022-23835
Mitre link : CVE-2022-23835
CVE.ORG link : CVE-2022-23835
JSON object : View
Products Affected
visual_voice_mail_project
- visual_voice_mail
CWE
CWE-668
Exposure of Resource to Wrong Sphere