PT-2022-27406 · Unknown · Openharmony

Published

2022-12-08

Updated

2022-12-12

CVE-2022-45118

CVSS v3.1

6.2

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenHarmony versions 3.1.2 and prior

Description The issue concerns the telephony component in the communication subsystem of OpenHarmony, which sends public events containing personal data without proper permission settings. This allows malicious applications to listen to these public events and access sensitive information, including mobile numbers and SMS data, without having the necessary permissions.

Recommendations For OpenHarmony versions 3.1.2 and prior, consider restricting access to the telephony component in the communication subsystem to prevent malicious apps from listening to public events until a fix is available. As a temporary workaround, review and adjust permission settings for all apps to minimize the risk of unauthorized data access.

Fix

Incorrect Default Permissions

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276CWE-287

Related Identifiers

CVE-2022-45118

Affected Products

Openharmony

PT-2022-27406 · Unknown · Openharmony

CVE-2022-45118

Weakness Enumeration

Related Identifiers

Affected Products

References · 3