PT-2022-16400 · Unknown · Knoxprivacynoticereceiver+1

H0Rd7

Published

2022-02-11

Updated

2022-02-22

CVE-2022-23999

CVSS v3.1

3.9

Low

Vector

AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions CpaReceiver versions prior to SMR Feb-2022 Release 1

Description The issue allows local attackers to access media files without permission in KnoxPrivacyNoticeReceiver via implicit Intent. This is due to a PendingIntent hijacking vulnerability in CpaReceiver.

Recommendations For versions prior to SMR Feb-2022 Release 1, consider restricting access to the KnoxPrivacyNoticeReceiver to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using implicit Intents in the CpaReceiver until the issue is resolved.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2022-23999

Affected Products

Cpareceiver

Knoxprivacynoticereceiver

PT-2022-16400 · Unknown · Knoxprivacynoticereceiver+1

CVE-2022-23999

Weakness Enumeration

Related Identifiers

Affected Products

References · 5