CVE-2019-9253 - OpenCVE

In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109769728

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:C/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Google	Android

Configuration 1 [-]

cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*

References

Link	Resource
https://source.android.com/security/bulletin/android-10	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: google_android

Published: 2019-09-27T18:05:13

Updated: 2019-09-27T18:05:13

Reserved: 2019-02-28T00:00:00

Link: CVE-2019-9253

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-09-27T19:15:18.200

Modified: 2019-10-02T17:07:27.413

Link: CVE-2019-9253

JSON object: View

Redhat Information

No data.

CWE

CWE-922

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D558D965-FA70-4822-A770-419E73BA9ED3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109769728"}, {"lang": "es", "value": "En KeyStore, se presenta un posible almacenamiento de claves sim\u00e9tricas en el TEE en lugar de la strongbox debido a que falta un flag de la strongbox. Esto podr\u00eda conllevar a una divulgaci\u00f3n de informaci\u00f3n local con los privilegios de ejecuci\u00f3n System necesarios. No es requerida una interacci\u00f3n del usuario para su explotaci\u00f3n. Producto: Android, Versiones: Android-10, ID de Android: A-109769728"}], "id": "CVE-2019-9253", "lastModified": "2019-10-02T17:07:27.413", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-27T19:15:18.200", "references": [{"source": "security@android.com", "tags": ["Vendor Advisory"], "url": "https://source.android.com/security/bulletin/android-10"}], "sourceIdentifier": "security@android.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-922"}], "source": "nvd@nist.gov", "type": "Primary"}]}