CVE-2022-23835 - OpenCVE

The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a "concrete and exploitable risk.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Visual Voice Mail Project	Visual Voice Mail

Configuration 1 [-]

cpe:2.3:a:visual_voice_mail_project:visual_voice_mail:*:*:*:*:*:android:*:*

References

Link	Resource
https://gitlab.com/kop316/vvm-disclosure	Exploit Third Party Advisory
https://www.kb.cert.org/vuls/id/383864	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-02-25T03:31:02

Updated: 2022-02-25T03:31:02

Reserved: 2022-01-21T00:00:00

Link: CVE-2022-23835

JSON object: View

NVD Information

Status : Modified

Published: 2022-02-25T04:15:06.710

Modified: 2024-05-17T02:05:56.607

Link: CVE-2022-23835

JSON object: View

Redhat Information

No data.

CWE

CWE-668

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a \"concrete and exploitable risk."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-25T03:31:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/kop316/vvm-disclosure"}, {"tags": ["x_refsource_MISC"], "url": "https://www.kb.cert.org/vuls/id/383864"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-23835", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a \"concrete and exploitable risk.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/kop316/vvm-disclosure", "refsource": "MISC", "url": "https://gitlab.com/kop316/vvm-disclosure"}, {"name": "https://www.kb.cert.org/vuls/id/383864", "refsource": "MISC", "url": "https://www.kb.cert.org/vuls/id/383864"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-23835", "datePublished": "2022-02-25T03:31:02", "dateReserved": "2022-01-21T00:00:00", "dateUpdated": "2022-02-25T03:31:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:visual_voice_mail_project:visual_voice_mail:*:*:*:*:*:android:*:*", "matchCriteriaId": "D5D1EC18-3D1F-4074-B555-D8758BCBCEDA", "versionEndIncluding": "2022-02-24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a \"concrete and exploitable risk."}, {"lang": "es", "value": "** EN DISPUTA ** La aplicaci\u00f3n Visual Voice Mail (VVM) versiones hasta el 2022-02-24 para Android, permite un acceso persistente si un atacante controla temporalmente una aplicaci\u00f3n que presenta el permiso READ_SMS, y lee un mensaje de credenciales IMAP que (por dise\u00f1o) no es mostrado a la v\u00edctima dentro de la aplicaci\u00f3n de mensajer\u00eda AOSP SMS/MMS. (A menudo, las credenciales IMAP pueden usarse para escuchar los mensajes de correo de voz enviados antes de que sea explotada la vulnerabilidad, adem\u00e1s de los nuevos). NOTA: algunos vendedores caracterizan esto como un \"riesgo concreto y explotable\".\n"}], "id": "CVE-2022-23835", "lastModified": "2024-05-17T02:05:56.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-25T04:15:06.710", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gitlab.com/kop316/vvm-disclosure"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/383864"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}]}