Improper Privilege Management in Google Android - CVE-2020-0080

 

Improper Privilege Management in Google Android - CVE-2020-0080

Published: April 17, 2020 / Updated: August 8, 2020


Vulnerability identifier: #VU34438
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-0080
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Google
Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In onOpActiveChanged and related methods of AppOpsControllerImpl.java, there is a possible way to display an app overlaying other apps without the notification icon that it's overlaying. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-144092031


How to mitigate CVE-2020-0080

Install update from vendor's website.

Sources