Incorrect default permissions in Google Android - CVE-2019-2114
Published: November 3, 2019
Vulnerability identifier: #VU22484
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-2114
CWE-ID: CWE-276
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Google
Affected software:
Google Android
Google Android
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions within the Android Beam service when installing application transferred via NFC. An attacker with physical proximity to the device can transfer a malicious application to the device and trick the victim into installing it just by tapping on the notification. No additional warnings are displayed for apps, transferred via NFC beaming.
How to mitigate CVE-2019-2114
Install updates from vendor's website.