The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a "concrete and exploitable risk.
References
Link | Resource |
---|---|
https://gitlab.com/kop316/vvm-disclosure | Exploit Third Party Advisory |
https://www.kb.cert.org/vuls/id/383864 | Third Party Advisory US Government Resource |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-02-25T03:31:02
Updated: 2022-02-25T03:31:02
Reserved: 2022-01-21T00:00:00
Link: CVE-2022-23835
JSON object: View
NVD Information
Status : Modified
Published: 2022-02-25T04:15:06.710
Modified: 2024-05-17T02:05:56.607
Link: CVE-2022-23835
JSON object: View
Redhat Information
No data.
CWE