CVE-2016-2425

Name of the Vulnerable Software and Affected Versions AOSP Mail versions prior to 4.4.4 AOSP Mail versions 5.0.x prior to 5.0.2 AOSP Mail versions 5.1.x prior to 5.1.1 AOSP Mail versions 6.x before 2016-04-01

Description The issue is related to the lack of protection for sensitive data in the mail/compose/ComposeActivity.java component of AOSP Mail in the Android operating system. This can be exploited by a remote attacker using a specially crafted application to obtain confidential information. The vulnerability is specifically related to the support of file:///data attachments in the affected versions.

Recommendations For versions prior to 4.4.4, update to version 4.4.4 or later. For versions 5.0.x prior to 5.0.2, update to version 5.0.2 or later. For versions 5.1.x prior to 5.1.1, update to version 5.1.1 or later. For versions 6.x before 2016-04-01, ensure that the patch level is 2016-04-01 or later. As a temporary workaround, consider restricting the use of the file:///data attachment feature in the mail/compose/ComposeActivity.java component until a patch is available.