Improper Privilege Management in Google Android - CVE-2020-0386

 

Improper Privilege Management in Google Android - CVE-2020-0386

Published: September 17, 2020 / Updated: September 25, 2020


Vulnerability identifier: #VU47100
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-0386
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Google
Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

In onCreate of RequestPermissionActivity.java, there is a possible tapjacking vector due to an insecure default value. This could lead to local escalation of privilege allowing an attacker to set Bluetooth discoverability with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-155650356


How to mitigate CVE-2020-0386

Install update from vendor's website.

Sources