CVE-2022-2390

Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.0 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://developers.google.com/android/guides/releases#may_03_2022	Release Notes Vendor Advisory
https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:google_play_services_software_development_kit:*:*:*:*:*:*:*:*

History

17 Aug 2022, 13:24

Type	Values Removed	Values Added
First Time		Google Google google Play Services Software Development Kit
CWE		NVD-CWE-Other
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.4
CPE		cpe:2.3:a:google:google_play_services_software_development_kit::::::::
References	~~(CONFIRM) https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2 -~~	(CONFIRM) https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2 - Third Party Advisory
References	~~(CONFIRM) https://developers.google.com/android/guides/releases#may_03_2022 -~~	(CONFIRM) https://developers.google.com/android/guides/releases#may_03_2022 - Release Notes, Vendor Advisory

12 Aug 2022, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-12 11:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-2390

Mitre link : CVE-2022-2390

CVE.ORG link : CVE-2022-2390

JSON object : View

Products Affected

google

google_play_services_software_development_kit

CWE

NVD-CWE-Other CWE-471

Modification of Assumed-Immutable Data (MAID)

{"id": "CVE-2022-2390", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.0}, {"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 0.8}]}, "published": "2022-08-12T11:15:07.870", "references": [{"url": "https://developers.google.com/android/guides/releases#may_03_2022", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve-coordination@google.com"}, {"url": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2", "tags": ["Third Party Advisory"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-471"}]}], "descriptions": [{"lang": "en", "value": "Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps."}, {"lang": "es", "value": "Las aplicaciones desarrolladas con el SDK de servicios de Google Play ten\u00edan incorrectamente el indicador de mutabilidad establecido en PendingIntents que es pasado al servicio de notificaciones. Dado que el SDK de servicios de Google Play es usado ampliamente, este error afecta a muchas aplicaciones. Para una aplicaci\u00f3n afectada, este error permitir\u00e1 al atacante, obtener el acceso a todos los proveedores no exportados y/o conseguir el acceso a otros proveedores que la v\u00edctima presenta permisos. Es recomendado actualizar a versi\u00f3n 18.0.2 del SDK de Play Service, as\u00ed como reconstruir y volver a desplegar las aplicaciones."}], "lastModified": "2022-08-17T13:24:38.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:google_play_services_software_development_kit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4CECF19-065C-4E49-A711-F14CAC5076D8", "versionEndExcluding": "18.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}