PT-2021-13066 · Google · Android
Published
2021-03-10
·
Updated
2022-07-12
·
CVE-2021-0388
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Android version Android-11
Description:
In the
onReceive method of ImsPhoneCallTracker.java, there is a possible misattribution of data usage due to an incorrect broadcast handler. This could lead to local escalation of privilege, resulting in attributing video call data to the wrong app, with no additional execution privileges needed. User interaction is not needed for exploitation.Recommendations:
For Android version Android-11, consider restricting access to the
ImsPhoneCallTracker.java module to minimize the risk of exploitation until a patch is available. As a temporary workaround, review and adjust broadcast handlers to prevent incorrect data attribution.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Android