CVE-2019-15424 - OpenCVE

The Doogee BL5000 Android device with a build fingerprint of DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:L/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Doogee	Bl5000 Bl5000 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:doogee:bl5000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:doogee:bl5000:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.kryptowire.com/android-firmware-2019/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-11-14T16:26:38

Updated: 2019-11-14T16:26:38

Reserved: 2019-08-22T00:00:00

Link: CVE-2019-15424

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-11-14T17:15:21.413

Modified: 2019-11-27T02:32:09.613

Link: CVE-2019-15424

JSON object: View

Redhat Information

No data.

CWE

CWE-610

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Doogee BL5000 Android device with a build fingerprint of DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-14T16:26:38", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.kryptowire.com/android-firmware-2019/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-15424", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Doogee BL5000 Android device with a build fingerprint of DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.kryptowire.com/android-firmware-2019/", "refsource": "MISC", "url": "https://www.kryptowire.com/android-firmware-2019/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-15424", "datePublished": "2019-11-14T16:26:38", "dateReserved": "2019-08-22T00:00:00", "dateUpdated": "2019-11-14T16:26:38", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:doogee:bl5000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "8B57844D-40F3-4F3A-A35C-FD30B4B8BC1D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:doogee:bl5000:-:*:*:*:*:*:*:*", "matchCriteriaId": "31A26D99-7513-4F3E-AA0C-8FB379CB1EE8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Doogee BL5000 Android device with a build fingerprint of DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device."}, {"lang": "es", "value": "El dispositivo Doogee BL5000 Android con una huella digital de compilaci\u00f3n de DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys, contiene una aplicaci\u00f3n preinstalada con un nombre de paquete de aplicaci\u00f3n com.mediatek.factorymode (versionCode=1, versionName=1), que permite la modificaci\u00f3n de la configuraci\u00f3n inal\u00e1mbrica no autorizada mediante un ataque de tipo confused deputy. Esta capacidad puede ser accedida mediante cualquier aplicaci\u00f3n ubicada en el dispositivo."}], "id": "CVE-2019-15424", "lastModified": "2019-11-27T02:32:09.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-14T17:15:21.413", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.kryptowire.com/android-firmware-2019/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-610"}], "source": "nvd@nist.gov", "type": "Primary"}]}