CVE-2022-2390 - OpenCVE

Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Google	Google Play Services Software Development Kit

Configuration 1 [-]

cpe:2.3:a:google:google_play_services_software_development_kit:*:*:*:*:*:*:*:*

References

Link	Resource
https://developers.google.com/android/guides/releases#may_03_2022	Release Notes Vendor Advisory
https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Google

Published: 2022-08-12T10:25:08

Updated: 2022-08-12T10:25:08

Reserved: 2022-07-12T00:00:00

Link: CVE-2022-2390

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-12T11:15:07.870

Modified: 2022-08-17T13:24:38.217

Link: CVE-2022-2390

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Play Services SDK", "vendor": "Google LLC", "versions": [{"lessThan": "18.0.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-471", "description": "CWE-471 Modification of Assumed-Immutable Data (MAID)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-12T10:25:08", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://developers.google.com/android/guides/releases#may_03_2022"}, {"tags": ["x_refsource_MISC"], "url": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2"}], "source": {"discovery": "EXTERNAL"}, "title": "Mutable pending intent in Google Play services SDK", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2022-2390", "STATE": "PUBLIC", "TITLE": "Mutable pending intent in Google Play services SDK"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Play Services SDK", "version": {"version_data": [{"version_affected": "<", "version_value": "18.0.2"}]}}]}, "vendor_name": "Google LLC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-471 Modification of Assumed-Immutable Data (MAID)"}]}]}, "references": {"reference_data": [{"name": "https://developers.google.com/android/guides/releases#may_03_2022", "refsource": "MISC", "url": "https://developers.google.com/android/guides/releases#may_03_2022"}, {"name": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2", "refsource": "MISC", "url": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2022-2390", "datePublished": "2022-08-12T10:25:08", "dateReserved": "2022-07-12T00:00:00", "dateUpdated": "2022-08-12T10:25:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:google_play_services_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4CECF19-065C-4E49-A711-F14CAC5076D8", "versionEndExcluding": "18.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps."}, {"lang": "es", "value": "Las aplicaciones desarrolladas con el SDK de servicios de Google Play ten\u00edan incorrectamente el indicador de mutabilidad establecido en PendingIntents que es pasado al servicio de notificaciones. Dado que el SDK de servicios de Google Play es usado ampliamente, este error afecta a muchas aplicaciones. Para una aplicaci\u00f3n afectada, este error permitir\u00e1 al atacante, obtener el acceso a todos los proveedores no exportados y/o conseguir el acceso a otros proveedores que la v\u00edctima presenta permisos. Es recomendado actualizar a versi\u00f3n 18.0.2 del SDK de Play Service, as\u00ed como reconstruir y volver a desplegar las aplicaciones."}], "id": "CVE-2022-2390", "lastModified": "2022-08-17T13:24:38.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 4.7, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2022-08-12T11:15:07.870", "references": [{"source": "cve-coordination@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developers.google.com/android/guides/releases#may_03_2022"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-471"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}