A vulnerability has been found in Google Android 8.0/8.1/9.0 (Smartphone Operating System) and classified as problematic. This vulnerability affects the function query of the file TelephonyProvider.java of the component Permission Check. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. CVE summarizes:

In query of TelephonyProvider.java, there is a possible access to SIM card info due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-140622024

The weakness was published 03/10/2020. This vulnerability was named CVE-2020-0035 since 10/17/2019. The attack needs to be approached locally. The requirement for exploitation is a single authentication. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1592.

Applying a patch is able to eliminate this problem.

Similar entries are available at VDB-151244, VDB-151243, VDB-151242 and VDB-151241. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Smartphone Operating System

Vendor

• Google

Name

• Android

Version

• 8.0
• 8.1
• 9.0

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion