{"containers": {"cna": {"affected": [{"product": "Android", "vendor": "n/a", "versions": [{"status": "affected", "version": "Android-10"}]}], "descriptions": [{"lang": "en", "value": "In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774"}], "problemTypes": [{"descriptions": [{"description": "Remote code execution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-27T00:06:14", "orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://source.android.com/security/bulletin/android-10"}, {"name": "[oss-security] 20191025 Security fixes from Android 10 release which are relevant outside the Android ecosystem?", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/10/25/17"}, {"name": "[oss-security] 20191026 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/10/27/1"}, {"name": "[oss-security] 20191107 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/11/07/1"}, {"name": "DSA-4618", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4618"}, {"name": "[debian-lts-announce] 20200210 [SECURITY] [DLA 2100-1] libexif security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00007.html"}, {"name": "20200210 [SECURITY] [DSA 4618-1] libexif security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2020/Feb/9"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libexif/libexif/issues/26"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566"}, {"name": "USN-4277-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4277-1/"}, {"name": "openSUSE-SU-2020:0264", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.html"}, {"name": "openSUSE-SU-2020:0793", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html"}, {"name": "FEDORA-2020-b4db792558", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VA5BPQLOFXIZOOJHBYDU635Z5KLUMTDD/"}, {"name": "FEDORA-2020-085150ac6e", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO2VTHD7OLPJDCJBHKUQTBAHZOBBCF6X/"}, {"name": "GLSA-202007-05", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202007-05"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@android.com", "ID": "CVE-2019-9278", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Android", "version": {"version_data": [{"version_value": "Android-10"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote code execution"}]}]}, "references": {"reference_data": [{"name": "https://source.android.com/security/bulletin/android-10", "refsource": "MISC", "url": "https://source.android.com/security/bulletin/android-10"}, {"name": "[oss-security] 20191025 Security fixes from Android 10 release which are relevant outside the Android ecosystem?", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/10/25/17"}, {"name": "[oss-security] 20191026 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/10/27/1"}, {"name": "[oss-security] 20191107 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/11/07/1"}, {"name": "DSA-4618", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4618"}, {"name": "[debian-lts-announce] 20200210 [SECURITY] [DLA 2100-1] libexif security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00007.html"}, {"name": "20200210 [SECURITY] [DSA 4618-1] libexif security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Feb/9"}, {"name": "https://github.com/libexif/libexif/issues/26", "refsource": "CONFIRM", "url": "https://github.com/libexif/libexif/issues/26"}, {"name": "https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566", "refsource": "CONFIRM", "url": "https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566"}, {"name": "USN-4277-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4277-1/"}, {"name": "openSUSE-SU-2020:0264", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.html"}, {"name": "openSUSE-SU-2020:0793", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html"}, {"name": "FEDORA-2020-b4db792558", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA5BPQLOFXIZOOJHBYDU635Z5KLUMTDD/"}, {"name": "FEDORA-2020-085150ac6e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO2VTHD7OLPJDCJBHKUQTBAHZOBBCF6X/"}, {"name": "GLSA-202007-05", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202007-05"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T21:46:29.867Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://source.android.com/security/bulletin/android-10"}, {"name": "[oss-security] 20191025 Security fixes from Android 10 release which are relevant outside the Android ecosystem?", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/10/25/17"}, {"name": "[oss-security] 20191026 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/10/27/1"}, {"name": "[oss-security] 20191107 Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem?", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/11/07/1"}, {"name": "DSA-4618", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4618"}, {"name": "[debian-lts-announce] 20200210 [SECURITY] [DLA 2100-1] libexif security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00007.html"}, {"name": "20200210 [SECURITY] [DSA 4618-1] libexif security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2020/Feb/9"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libexif/libexif/issues/26"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566"}, {"name": "USN-4277-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4277-1/"}, {"name": "openSUSE-SU-2020:0264", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.html"}, {"name": "openSUSE-SU-2020:0793", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html"}, {"name": "FEDORA-2020-b4db792558", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VA5BPQLOFXIZOOJHBYDU635Z5KLUMTDD/"}, {"name": "FEDORA-2020-085150ac6e", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO2VTHD7OLPJDCJBHKUQTBAHZOBBCF6X/"}, {"name": "GLSA-202007-05", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202007-05"}]}]}, "cveMetadata": {"assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "assignerShortName": "google_android", "cveId": "CVE-2019-9278", "datePublished": "2019-09-27T18:05:14", "dateReserved": "2019-02-28T00:00:00", "dateUpdated": "2024-08-04T21:46:29.867Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D558D965-FA70-4822-A770-419E73BA9ED3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:*:*:*:*", "matchCriteriaId": "1F3EFED2-F6BC-46D9-AB22-D5ED87EF4549", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774"}, {"lang": "es", "value": "En libexif, se presenta una posible escritura fuera de l\u00edmites debido a un desbordamiento de enteros. Esto podr\u00eda conllevar a una escalada de privilegios remota en el proveedor de contenido multimedia sin ser necesarios privilegios de ejecuci\u00f3n adicionales. Es requerida una interacci\u00f3n del usuario para su explotaci\u00f3n. Producto: Android, Versiones: Android-10, ID de Android: A-112537774"}], "id": "CVE-2019-9278", "lastModified": "2023-11-07T03:13:38.217", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-27T19:15:19.060", "references": [{"source": "security@android.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.html"}, {"source": "security@android.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html"}, {"source": "security@android.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2019/10/25/17"}, {"source": "security@android.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2019/10/27/1"}, {"source": "security@android.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2019/11/07/1"}, {"source": "security@android.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566"}, {"source": "security@android.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/libexif/libexif/issues/26"}, {"source": "security@android.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00007.html"}, {"source": "security@android.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO2VTHD7OLPJDCJBHKUQTBAHZOBBCF6X/"}, {"source": "security@android.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VA5BPQLOFXIZOOJHBYDU635Z5KLUMTDD/"}, {"source": "security@android.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2020/Feb/9"}, {"source": "security@android.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202007-05"}, {"source": "security@android.com", "tags": ["Vendor Advisory"], "url": "https://source.android.com/security/bulletin/android-10"}, {"source": "security@android.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4277-1/"}, {"source": "security@android.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4618"}], "sourceIdentifier": "security@android.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4040", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "libexif-0:0.6.22-1.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-09-29T00:00:00Z"}, {"advisory": "RHSA-2020:4766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libexif-0:0.6.22-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}], "bugzilla": {"description": "libexif: out of bounds write in exif-data.c", "id": "1789031", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1789031"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-787", "details": ["In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774"], "name": "CVE-2019-9278", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "libexif", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libexif", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2019-12-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-9278\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9278"], "threat_severity": "Moderate"}