CVE-2023-25647 - OpenCVE

There is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could monitor the touch event.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Zte	Axon 30 Firmware Axon 40 Pro Axon 30 Axon 40 Ultra Nubia Z50 Firmware Axon 40 Pro Firmware Axon 40 Ultra Firmware Nubia Z50

Configuration 1 [-]

AND

cpe:2.3:o:zte:axon_30_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:axon_30:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:zte:axon_40_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:axon_40_pro:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:zte:axon_40_ultra_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:axon_40_ultra:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:zte:nubia_z50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:nubia_z50:-:*:*:*:*:*:*:*

References

Link	Resource
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032264	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: zte

Published: 2023-08-17T02:13:19.932Z

Updated: 2023-08-30T00:56:20.949Z

Reserved: 2023-02-09T19:47:48.022Z

Link: CVE-2023-25647

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-08-17T03:15:09.003

Modified: 2023-08-24T16:20:12.140

Link: CVE-2023-25647

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-25647", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "state": "PUBLISHED", "assignerShortName": "zte", "dateReserved": "2023-02-09T19:47:48.022Z", "datePublished": "2023-08-17T02:13:19.932Z", "dateUpdated": "2023-08-30T00:56:20.949Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Android"], "product": "Some ZTE Mobile Phones", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "V1.0.0B07", "status": "affected", "version": "NON_EEA_P870F21V1.0.0B01", "versionType": "V1.0.0B07"}, {"lessThanOrEqual": "V1.0.0B18MR", "status": "affected", "version": " GEN_ZTE_PQ82A01V1.0.0B01MR", "versionType": "V1.0.0B18MR"}, {"lessThanOrEqual": "V3.0.0B05", "status": "affected", "version": "GEN_ZTE_P870A01V3.0.0B01", "versionType": "V3.0.0B05"}, {"lessThanOrEqual": "V2.0.0B16", "status": "affected", "version": "GEN_ZTE_P898A01V2.0.0B01", "versionType": "V2.0.0B16"}]}], "datePublic": "2023-07-27T02:10:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\n<span style=\"background-color: rgb(255, 255, 255);\">T</span><span style=\"background-color: rgb(255, 255, 255);\">here is a permission and access control vulnerability in some ZTE mobile phones. Due to </span><span style=\"background-color: rgb(255, 255, 255);\">improper access control</span><span style=\"background-color: rgb(255, 255, 255);\">, </span><span style=\"background-color: rgb(255, 255, 255);\">applications in mobile phone c</span><span style=\"background-color: rgb(255, 255, 255);\">ould</span><span style=\"background-color: rgb(255, 255, 255);\"> </span><span style=\"background-color: rgb(255, 255, 255);\">monitor</span><span style=\"background-color: rgb(255, 255, 255);\"> </span><span style=\"background-color: rgb(255, 255, 255);\">the touch</span><span style=\"background-color: rgb(255, 255, 255);\"> event.</span>\n\n\n\n"}], "value": "\n\n\nThere is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could\u00a0monitor\u00a0the touch\u00a0event.\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2023-08-30T00:56:20.949Z"}, "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032264"}], "source": {"discovery": "EXTERNAL"}, "title": "Permission and Access Control Vulnerability in Some ZTE Mobile Phones", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:axon_30_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B7C570B-450A-46EF-BE44-C9080D843A58", "versionEndExcluding": "3.0.0b06", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:axon_30:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2F14440-A165-43E7-BDA7-EC4C9C95123E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:axon_40_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE9D395-28E9-4618-90AC-389D57EFC0BE", "versionEndExcluding": "1.0.0b16", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:axon_40_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "3A9FA4EE-82AA-4C53-A084-7B7286361253", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:axon_40_ultra_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D7BB985-80B3-49A2-8AE4-6077CB394328", "versionEndExcluding": "2.0.0b17", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:axon_40_ultra:-:*:*:*:*:*:*:*", "matchCriteriaId": "3C9F41AC-BCE6-416B-B11F-D86769525F9D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:nubia_z50_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5372F382-E1BF-4446-A2FE-679951C97FA1", "versionEndExcluding": "1.0.0b19mr", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:nubia_z50:-:*:*:*:*:*:*:*", "matchCriteriaId": "34767307-B629-4BE7-8530-F604BF5BF459", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\n\n\nThere is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could\u00a0monitor\u00a0the touch\u00a0event.\n\n\n\n"}], "id": "CVE-2023-25647", "lastModified": "2023-08-24T16:20:12.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "psirt@zte.com.cn", "type": "Secondary"}]}, "published": "2023-08-17T03:15:09.003", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032264"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "psirt@zte.com.cn", "type": "Secondary"}]}