Information exposure in MediaTek Mobile applications

#VU87963 Information exposure in MediaTek Mobile applications

Published: 2024-04-01

Vulnerability identifier: #VU87963

Vulnerability risk: Low

CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-20055

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vendor: MediaTek

Description

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to a missing bounds check within imgsys. A local privileged application can gain access to sensitive information.

Mitigation
Install security update from vendor's website.

Vulnerable software versions

MT2713: All versions

MT8168: All versions

MT8173: All versions

MT8175: All versions

MT8188: All versions

MT8195: All versions

MT8365: All versions

MT8370: All versions

MT8390: All versions

MT8395: All versions

MT8673: All versions

MT8696: All versions

MT8781: All versions

MT8795T: All versions

MT8798: All versions

MT8871: All versions

External links
http://corp.mediatek.com/product-security-bulletin/April-2024

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.