CVE-2019-15429 - OpenCVE

The Panasonic ELUGA_I9 Android device with a build fingerprint of Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keys contains a pre-installed app with a package name of com.ovvi.modem app (versionCode=1, versionName=1) that allows unauthorized attacker-controlled at command via a confused deputy attack. This capability can be accessed by any app co-located on the device.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Panasonic	Eluga I9 Eluga I9 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:panasonic:eluga_i9_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:panasonic:eluga_i9:-:*:*:*:*:*:*:*

References

Link	Resource
https://mobile.panasonic.com/in/advisory
https://www.kryptowire.com/android-firmware-2019/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-11-14T16:26:46

Updated: 2020-05-19T11:43:02

Reserved: 2019-08-22T00:00:00

Link: CVE-2019-15429

JSON object: View

NVD Information

Status : Modified

Published: 2019-11-14T17:15:21.757

Modified: 2020-05-19T12:15:10.847

Link: CVE-2019-15429

JSON object: View

Redhat Information

No data.

CWE

CWE-610

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Panasonic ELUGA_I9 Android device with a build fingerprint of Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keys contains a pre-installed app with a package name of com.ovvi.modem app (versionCode=1, versionName=1) that allows unauthorized attacker-controlled at command via a confused deputy attack. This capability can be accessed by any app co-located on the device."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-19T11:43:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.kryptowire.com/android-firmware-2019/"}, {"tags": ["x_refsource_MISC"], "url": "https://mobile.panasonic.com/in/advisory"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-15429", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Panasonic ELUGA_I9 Android device with a build fingerprint of Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keys contains a pre-installed app with a package name of com.ovvi.modem app (versionCode=1, versionName=1) that allows unauthorized attacker-controlled at command via a confused deputy attack. This capability can be accessed by any app co-located on the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.kryptowire.com/android-firmware-2019/", "refsource": "MISC", "url": "https://www.kryptowire.com/android-firmware-2019/"}, {"name": "https://mobile.panasonic.com/in/advisory", "refsource": "MISC", "url": "https://mobile.panasonic.com/in/advisory"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-15429", "datePublished": "2019-11-14T16:26:46", "dateReserved": "2019-08-22T00:00:00", "dateUpdated": "2020-05-19T11:43:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:panasonic:eluga_i9_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "2715A276-D355-4304-A8E4-92E8009A05D9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:panasonic:eluga_i9:-:*:*:*:*:*:*:*", "matchCriteriaId": "20663056-3DDC-4976-A8C0-56860DDC30A9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Panasonic ELUGA_I9 Android device with a build fingerprint of Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keys contains a pre-installed app with a package name of com.ovvi.modem app (versionCode=1, versionName=1) that allows unauthorized attacker-controlled at command via a confused deputy attack. This capability can be accessed by any app co-located on the device."}, {"lang": "es", "value": "El dispositivo Panasonic ELUGA_I9 Android con una huella digital de Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keys, contiene una aplicaci\u00f3n preinstalada con un nombre de paquete de aplicaci\u00f3n com.ovvi.modem (versionCode=1, versionName=1), que permite comandos controlados por un atacante no autorizado mediante un ataque de tipo confused deputy. Esta capacidad puede ser accedida mediante cualquier aplicaci\u00f3n ubicada sobre el dispositivo."}], "id": "CVE-2019-15429", "lastModified": "2020-05-19T12:15:10.847", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-14T17:15:21.757", "references": [{"source": "cve@mitre.org", "url": "https://mobile.panasonic.com/in/advisory"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.kryptowire.com/android-firmware-2019/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-610"}], "source": "nvd@nist.gov", "type": "Primary"}]}