CVE Vulnerabilities

CVE-2021-0599

Externally Controlled Reference to a Resource in Another Sphere

Published: Jul 14, 2021 | Modified: Jul 15, 2021
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
4.9 MEDIUM
AV:L/AC:L/Au:N/C:C/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

In scheduleTimeoutLocked of NotificationRecord.java, there is a possible disclosure of a sensitive identifier via broadcasted intent due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-175614289

Weakness

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Affected Software

Name Vendor Start Version End Version
Android Google 8.1 8.1
Android Google 9.0 9.0
Android Google 10.0 10.0
Android Google 11.0 11.0

References