PT-2016-5746 · Google · Aosp Mail
Guang Gong
+1
·
Publicado
2016-10-10
·
Atualizado
2016-11-28
·
CVE-2016-3918
CVSS v3.1
5.5
Média
| Vetor | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
AOSP Mail versions 4.x through 4.4.3
AOSP Mail versions 5.0.x through 5.0.1
AOSP Mail versions 5.1.x through 5.1.0
AOSP Mail versions 6.x before 2016-10-01
AOSP Mail versions 7.0 before 2016-10-01
Description
The issue allows attackers to read arbitrary attachments via a crafted application that provides a pathname value. This is due to the failure of the AttachmentProvider.java in AOSP Mail to ensure that certain values are integers.
Recommendations
For AOSP Mail versions 4.x through 4.4.3, update to version 4.4.4 or later.
For AOSP Mail versions 5.0.x through 5.0.1, update to version 5.0.2 or later.
For AOSP Mail versions 5.1.x through 5.1.0, update to version 5.1.1 or later.
For AOSP Mail versions 6.x before 2016-10-01, update to a version released on or after 2016-10-01.
For AOSP Mail versions 7.0 before 2016-10-01, update to a version released on or after 2016-10-01.
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Aosp Mail