CVE-2021-25392 - OpenCVE

Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Android

Configuration 1 [-]

OR	cpe:2.3:o:google:android:9.0:::::::*
	cpe:2.3:o:google:android:10.0:::::::*
	cpe:2.3:o:google:android:11.0:::::::*

No data.

References

Link	Providers
https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/
https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5

History

No history.

MITRE

Status: PUBLISHED

Assigner: Samsung Mobile

Published: 2021-06-11T14:45:22

Updated: 2024-08-03T20:03:05.579Z

Reserved: 2021-01-19T00:00:00

Link: CVE-2021-25392

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-11T15:15:08.813

Modified: 2021-06-16T20:26:15.957

Link: CVE-2021-25392

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Samsung Mobile Devices ", "vendor": "Samsung Mobile", "versions": [{"lessThan": "SMR MAY-2021 Release 1", "status": "affected", "version": "P(9.0), Q(10.0) , R(11.0)", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-11T14:48:07", "orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "Samsung Mobile"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/"}, {"tags": ["x_refsource_MISC"], "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "mobile.security@samsung.com", "ID": "CVE-2021-25392", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Samsung Mobile Devices ", "version": {"version_data": [{"version_affected": "<", "version_name": "P(9.0), Q(10.0) , R(11.0)", "version_value": "SMR MAY-2021 Release 1"}]}}]}, "vendor_name": "Samsung Mobile"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/", "refsource": "MISC", "url": "https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/"}, {"name": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5", "refsource": "MISC", "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:03:05.579Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5"}]}]}, "cveMetadata": {"assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "assignerShortName": "Samsung Mobile", "cveId": "CVE-2021-25392", "datePublished": "2021-06-11T14:45:22", "dateReserved": "2021-01-19T00:00:00", "dateUpdated": "2024-08-03T20:03:05.579Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "8DFAAD08-36DA-4C95-8200-C29FE5B6B854", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D558D965-FA70-4822-A770-419E73BA9ED3", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "109DD7FD-3A48-4C3D-8E1A-4433B98E1E64", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path."}, {"lang": "es", "value": "Una protecci\u00f3n inapropiada de la configuraci\u00f3n de la ruta de copia de seguridad en Samsung Dex versiones anteriores a SMR MAY-2021 Release 1, permite a atacantes locales obtener informaci\u00f3n confidencial por medio de la modificaci\u00f3n de la ruta"}], "id": "CVE-2021-25392", "lastModified": "2021-06-16T20:26:15.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 1.4, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2021-06-11T15:15:08.813", "references": [{"source": "mobile.security@samsung.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/"}, {"source": "mobile.security@samsung.com", "tags": ["Vendor Advisory"], "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "mobile.security@samsung.com", "type": "Secondary"}]}