Information disclosure in Google Android



Published: 2020-08-11 | Updated: 2020-08-30
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-0249
CWE-ID CWE-200
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		Google Android
Operating systems & Components / Operating system

Vendor Google

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU45866

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-0249

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local authenticated user to gain access to sensitive information.

In postInstantAppNotif of InstantAppNotifier.java, there is a possible permission bypass due to a PendingIntent error. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1 Android-9Android ID: A-154719656

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 8.0 - 10

External links

http://source.android.com/security/bulletin/2020-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###