CVE-2022-2390 - OpenCVE

Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Google Play Services Software Development Kit

Configuration 1 [-]

cpe:2.3:a:google:google_play_services_software_development_kit:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://developers.google.com/android/guides/releases#may_03_2022
https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2022-08-12T10:25:08

Updated: 2024-08-03T00:39:06.370Z

Reserved: 2022-07-12T00:00:00

Link: CVE-2022-2390

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-12T11:15:07.870

Modified: 2022-08-17T13:24:38.217

Link: CVE-2022-2390

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Play Services SDK", "vendor": "Google LLC", "versions": [{"lessThan": "18.0.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-471", "description": "CWE-471 Modification of Assumed-Immutable Data (MAID)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-12T10:25:08", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://developers.google.com/android/guides/releases#may_03_2022"}, {"tags": ["x_refsource_MISC"], "url": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2"}], "source": {"discovery": "EXTERNAL"}, "title": "Mutable pending intent in Google Play services SDK", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2022-2390", "STATE": "PUBLIC", "TITLE": "Mutable pending intent in Google Play services SDK"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Play Services SDK", "version": {"version_data": [{"version_affected": "<", "version_value": "18.0.2"}]}}]}, "vendor_name": "Google LLC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-471 Modification of Assumed-Immutable Data (MAID)"}]}]}, "references": {"reference_data": [{"name": "https://developers.google.com/android/guides/releases#may_03_2022", "refsource": "MISC", "url": "https://developers.google.com/android/guides/releases#may_03_2022"}, {"name": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2", "refsource": "MISC", "url": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:06.370Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://developers.google.com/android/guides/releases#may_03_2022"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2022-2390", "datePublished": "2022-08-12T10:25:08", "dateReserved": "2022-07-12T00:00:00", "dateUpdated": "2024-08-03T00:39:06.370Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:google_play_services_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4CECF19-065C-4E49-A711-F14CAC5076D8", "versionEndExcluding": "18.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps."}, {"lang": "es", "value": "Las aplicaciones desarrolladas con el SDK de servicios de Google Play ten\u00edan incorrectamente el indicador de mutabilidad establecido en PendingIntents que es pasado al servicio de notificaciones. Dado que el SDK de servicios de Google Play es usado ampliamente, este error afecta a muchas aplicaciones. Para una aplicaci\u00f3n afectada, este error permitir\u00e1 al atacante, obtener el acceso a todos los proveedores no exportados y/o conseguir el acceso a otros proveedores que la v\u00edctima presenta permisos. Es recomendado actualizar a versi\u00f3n 18.0.2 del SDK de Play Service, as\u00ed como reconstruir y volver a desplegar las aplicaciones."}], "id": "CVE-2022-2390", "lastModified": "2022-08-17T13:24:38.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 4.7, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2022-08-12T11:15:07.870", "references": [{"source": "cve-coordination@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developers.google.com/android/guides/releases#may_03_2022"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement/18.0.2"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-471"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}