Input validation error in Google, Google Android
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2011-0680 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Google Android Operating systems & Components / Operating system |
| Vendor |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU45401
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-0680
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
data/WorkingMessage.java in the Mms application in Android before 2.2.2 and 2.3.x before 2.3.2 does not properly manage the draft cache, which allows remote attackers to read SMS messages intended for other recipients in opportunistic circumstances via a standard text messaging service.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Android: 1.5 - 2.3
CPE2.3 External linkshttps://android.git.kernel.org/?p=platform/packages/apps/Mms.git;a=commit;h=18d6b7e9d2e538fb3c0264332b96c02abf367267
https://android.git.kernel.org/?p=platform/packages/apps/Mms.git;a=commit;h=4d26623ce82230e8e7009adb921c5edea370a9e0
https://code.google.com/p/android/issues/detail?id=9392#c1460
https://code.google.com/p/android/issues/detail?id=9392#c1620
https://phandroid.com/2011/01/21/android-2-3-2-update-pushing-to-nexus-s-phone-fixes-sms-bug/
https://twitter.com/GalaxySsupport/statuses/28078194607263744
https://www.engadget.com/2011/01/22/nexus-one-gets-tiny-update-to-android-2-2-2-probably-fixes-sms/
https://www.htcphones.net/nexus-one-update-to-android-2-2-2/
https://www.samsunghub.com/2011/01/22/nexus-s-gets-android-2-3-2-fixes-sms-bug/
https://www.securityfocus.com/bid/46105
https://www.theinquirer.net/inquirer/news/1939386/google-updates-nexus-android-222
https://exchange.xforce.ibmcloud.com/vulnerabilities/65125
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
