CVE-2023-44129

The vulnerability is that the Messaging ("com.android.mms") app patched by LG forwards attacker-controlled intents back to the attacker in the exported "com.android.mms.ui.QClipIntentReceiverActivity" activity. The attacker can abuse this functionality by launching this activity and then sending a broadcast with the "com.lge.message.action.QCLIP" action. The attacker can send, e.g., their own data/clipdata and set Intent.FLAG_GRANT_* flags. After the attacker received that intent in the "onActivityResult()" method, they would have access to arbitrary content providers that have the `android:grantUriPermissions="true"` flag set.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lgsecurity.lge.com/bulletins/mobile#updateDetails	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

cpe:2.3:h:lg:v60_thin_q_5g:-:*:*:*:*:*:*:*

History

02 Oct 2023, 18:59

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 3.3
First Time		Lg Lg v60 Thin Q 5g Google Google android
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:o:google:android:::::::: cpe:2.3:h:lg:v60_thin_q_5g:-:::::::*
References	~~(MISC) https://lgsecurity.lge.com/bulletins/mobile#updateDetails -~~	(MISC) https://lgsecurity.lge.com/bulletins/mobile#updateDetails - Vendor Advisory

27 Sep 2023, 15:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-27 15:19

Updated : 2023-12-10 15:14

NVD link : CVE-2023-44129

Mitre link : CVE-2023-44129

CVE.ORG link : CVE-2023-44129

JSON object : View

Products Affected

lg

v60_thin_q_5g

google

android

CWE

NVD-CWE-noinfo CWE-926

Improper Export of Android Application Components

{"id": "CVE-2023-44129", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "product.security@lge.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2023-09-27T15:19:37.350", "references": [{"url": "https://lgsecurity.lge.com/bulletins/mobile#updateDetails", "tags": ["Vendor Advisory"], "source": "product.security@lge.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "product.security@lge.com", "description": [{"lang": "en", "value": "CWE-926"}]}], "descriptions": [{"lang": "en", "value": "The vulnerability is that the Messaging (\"com.android.mms\") app patched by LG forwards attacker-controlled intents back to the attacker in the exported \"com.android.mms.ui.QClipIntentReceiverActivity\" activity. The attacker can abuse this functionality by launching this activity and then sending a broadcast with the \"com.lge.message.action.QCLIP\" action. The attacker can send, e.g., their own data/clipdata and set Intent.FLAG_GRANT_* flags. After the attacker received that intent in the \"onActivityResult()\" method, they would have access to arbitrary content providers that have the `android:grantUriPermissions=\"true\"` flag set."}, {"lang": "es", "value": "La vulnerabilidad es que la aplicaci\u00f3n de mensajer\u00eda (\"com.android.mms\") parcheada por LG reenv\u00eda intentos controlados por el atacante en la actividad \"com.android.mms.ui.QClipIntentReceiverActivity\" exportada. El atacante puede abusar de esta funcionalidad iniciando esta actividad y luego enviando una transmisi\u00f3n con la acci\u00f3n \"com.lge.message.action.QCLIP\". El atacante puede enviar, por ejemplo, sus propios datos/clipdata y establecer indicadores Intent.FLAG_GRANT_*. Despu\u00e9s de que el atacante recibiera esa intenci\u00f3n en el m\u00e9todo \"onActivityResult()\", tendr\u00eda acceso a proveedores de contenido arbitrarios que tengan configurado el indicador `android:grantUriPermissions=\"true\"`."}], "lastModified": "2023-10-02T18:59:15.660", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5E2EE3E-FD6F-4D27-871A-EE468B136DA0", "versionEndIncluding": "13.0", "versionStartIncluding": "12.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:lg:v60_thin_q_5g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "85B3B7D2-762E-4DD5-90F9-5246907748C4"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "product.security@lge.com"}