SB2023030641 - Multiple vulnerabilities in Unisoc chipsets
Published: March 6, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 24 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2022-47484)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can manipulate data.
2) Out-of-bounds write (CVE-ID: CVE-2022-47459)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read, manipulate or delete data.
The vulnerability exists due to a possible missing params check within the wlan driver in Kerenl. A local application can read, manipulate or delete data.
3) Missing Authorization (CVE-ID: CVE-2022-47462)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a missing permission check within the telephone service in Android. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
4) Information Exposure (CVE-ID: CVE-2022-47461)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
5) Use After Free (CVE-ID: CVE-2022-47460)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to damange or delete data.
The vulnerability exists due to a memory corruption due to a use after free within the gpu device in Kerenl. A local application can damange or delete data.
6) Out-of-bounds read (CVE-ID: CVE-2022-47458)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a possible missing params check within the fm driver in Kerenl. A local application can read and manipulate data.
7) Out-of-bounds write (CVE-ID: CVE-2022-47457)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a possible missing params check within the fm driver in Kerenl. A local application can read and manipulate data.
8) Buffer over-read (CVE-ID: CVE-2022-47456)
CWE-ID: CWE-126 - Buffer over-read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing params check within the wlan driver in Kerenl. A local application can perform a denial of service (DoS) attack.
9) Buffer over-read (CVE-ID: CVE-2022-47455)
CWE-ID: CWE-126 - Buffer over-read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing params check within the wlan driver in Kerenl. A local application can perform a denial of service (DoS) attack.
10) Integer overflow (CVE-ID: CVE-2022-47454)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to a possible missing params check within the wlan driver in Kerenl. A local privileged application can read and manipulate data.
11) Memory corruption (CVE-ID: CVE-2022-47453)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to a possible missing params check within the wcn service in Kerenl. A local privileged application can read and manipulate data.
12) Missing Authorization (CVE-ID: CVE-2022-47483)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
13) Information Exposure (CVE-ID: CVE-2022-47472)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the setting service in Android. A local application can read and manipulate data.
14) Missing Authorization (CVE-ID: CVE-2022-47482)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
15) Missing Authorization (CVE-ID: CVE-2022-47481)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
16) Missing Authorization (CVE-ID: CVE-2022-47480)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
17) Information Exposure (CVE-ID: CVE-2022-47479)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
18) Information Exposure (CVE-ID: CVE-2022-47478)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
19) Information Exposure (CVE-ID: CVE-2022-47477)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
20) Information Exposure (CVE-ID: CVE-2022-47476)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
21) Information Exposure (CVE-ID: CVE-2022-47475)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
22) Information Exposure (CVE-ID: CVE-2022-47474)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
23) Information Exposure (CVE-ID: CVE-2022-47471)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
24) Information Exposure (CVE-ID: CVE-2022-47473)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
Remediation
Install update from vendor's website.