CVE-2022-45118 - OpenCVE

OpenHarmony-v3.1.2 and prior versions had a vulnerability that telephony in communication subsystem sends public events with personal data, but the permission is not set. Malicious apps could listen to public events and obtain information such as mobile numbers and SMS data without permissions.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Openharmony	Openharmony

Configuration 1 [-]

cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*

References

Link	Resource
https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-12.md	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: OpenHarmony

Published: 2022-12-08T00:00:00

Updated: 2022-12-12T09:47:38.527824Z

Reserved: 2022-11-24T00:00:00

Link: CVE-2022-45118

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-12-08T16:15:13.553

Modified: 2022-12-12T17:00:58.777

Link: CVE-2022-45118

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"vendor": "OpenHarmony", "product": "OpenHarmony", "versions": [{"version": "3.1.0", "status": "affected"}]}], "datePublic": "2022-12-07T07:11:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OpenHarmony-v3.1.2 and prior versions had a vulnerability that telephony in communication subsystem sends public events with personal data, but the permission is not set. Malicious apps could listen to public events and obtain information such as mobile numbers and SMS data without permissions."}], "value": "OpenHarmony-v3.1.2 and prior versions had a vulnerability that telephony in communication subsystem sends public events with personal data, but the permission is not set. Malicious apps could listen to public events and obtain information such as mobile numbers and SMS data without permissions."}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "dateUpdated": "2022-12-12T09:47:38.527824Z"}, "references": [{"url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-12.md", "refsource": "MISC", "name": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-12.md"}], "source": {"discovery": "UNKNOWN"}, "title": "Telephony in communication subsystem sends public events with personal data, but the permission is not set.", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}, "cveMetadata": {"assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "cveId": "CVE-2022-45118", "serial": 1, "state": "PUBLISHED", "dateUpdated": "2022-12-12T09:47:38.527824Z", "dateReserved": "2022-11-24T00:00:00", "datePublished": "2022-12-08T00:00:00", "assignerShortName": "OpenHarmony"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*", "matchCriteriaId": "2976685D-D374-45B2-AC0B-0045B4C19959", "versionEndIncluding": "3.1.4", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenHarmony-v3.1.2 and prior versions had a vulnerability that telephony in communication subsystem sends public events with personal data, but the permission is not set. Malicious apps could listen to public events and obtain information such as mobile numbers and SMS data without permissions."}, {"lang": "es", "value": "OpenHarmony-v3.1.2 y versiones anteriores ten\u00edan la vulnerabilidad de que la telefon\u00eda en el subsistema de comunicaci\u00f3n env\u00eda eventos p\u00fablicos con datos personales, pero el permiso no est\u00e1 establecido. Las aplicaciones maliciosas podr\u00edan escuchar eventos p\u00fablicos y obtener informaci\u00f3n como n\u00fameros de m\u00f3viles y datos de SMS sin permisos."}], "id": "CVE-2022-45118", "lastModified": "2022-12-12T17:00:58.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "scy@openharmony.io", "type": "Secondary"}]}, "published": "2022-12-08T16:15:13.553", "references": [{"source": "scy@openharmony.io", "tags": ["Third Party Advisory"], "url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-12.md"}], "sourceIdentifier": "scy@openharmony.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "scy@openharmony.io", "type": "Secondary"}]}