Main Vulnerability Database Vulnerabilities #VU37276

Input validation error in Google Android - CVE-2017-13287

Published: April 4, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU37276

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-13287

CWE-ID: CWE-20

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a local authenticated user to execute arbitrary code.

In createFromParcel of VerifyCredentialResponse.java, there is a possible invalid parcel read due to improper input validation. This could lead to local escalation of privilege if mPayload in writeToParcel were null, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-71714464.

How to mitigate CVE-2017-13287

Install update from vendor's website.

Sources

https://source.android.com/security/bulletin/2018-04-01

Input validation error in Google Android - CVE-2017-13287

Detailed vulnerability description

How to mitigate CVE-2017-13287

Sources

Please verify you're human