CVE-2018-14066 - OpenCVE

The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Android
Infinixmobility	Infinix X571
Lenovo	Lenovo A7020

Configuration 1 [-]

AND

cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*

cpe:2.3:h:infinixmobility:infinix_x571:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:lenovo_a7020:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-07-15T16:00:00Z

Updated: 2024-09-16T18:19:07.536Z

Reserved: 2018-07-15T00:00:00Z

Link: CVE-2018-14066

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-07-15T16:29:00.223

Modified: 2018-09-21T13:47:42.450

Link: CVE-2018-14066

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-15T16:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-14066", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/", "refsource": "MISC", "url": "https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:21:40.852Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-14066", "datePublished": "2018-07-15T16:00:00Z", "dateReserved": "2018-07-15T00:00:00Z", "dateUpdated": "2024-09-16T18:19:07.536Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "09E6085C-A61E-4A89-BF80-EDD9A7DF1E47", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:infinixmobility:infinix_x571:-:*:*:*:*:*:*:*", "matchCriteriaId": "BDDC149C-DDAC-4371-8AA2-41EA948B6CBB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E70C6D8D-C9C3-4D92-8DFC-71F59E068295", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:lenovo_a7020:-:*:*:*:*:*:*:*", "matchCriteriaId": "3902A93A-D104-4A8D-AEC7-1EB8A18B7DBC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo."}, {"lang": "es", "value": "El proveedor de contenidos content://wappush en com.android.provider.telephony, tal y como se encuentra en algunas ROM personalizadas para tel\u00e9fonos Android, permite la inyecci\u00f3n SQL. Una consecuencia es que una aplicaci\u00f3n sin el permiso READ_SMS puede leer mensajes SMS. Esto afecta a los tel\u00e9fonos Infinix X571, as\u00ed como a algunos tel\u00e9fonos de Lenovo (como el A7020), que ya han sido reparados por Lenovo."}], "id": "CVE-2018-14066", "lastModified": "2018-09-21T13:47:42.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-15T16:29:00.223", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}