A vulnerability classified as problematic was found in Google Android 8.0/8.1/9.0/10.0 (Smartphone Operating System). This vulnerability affects the function updatePreferenceIntents. The manipulation with an unknown input leads to a toctou vulnerability. The CWE definition for the vulnerability is CWE-367. The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

In updatePreferenceIntents of AccountTypePreferenceLoader, there is a possible confused deputy attack due to a race condition. This could lead to local escalation of privilege and launching privileged activities with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-150946634

The weakness was released 08/11/2020 (Website). The advisory is shared for download at source.android.com. This vulnerability was named CVE-2020-0238 since 10/17/2019. The attack needs to be approached locally. A single authentication is required for exploitation. There are known technical details, but no exploit is available.

Applying a patch is able to eliminate this problem.

Entries connected to this vulnerability are available at 159615, 159617, 159618 and 159619.

Productinfo

Type

• Smartphone Operating System

Vendor

• Google

Name

• Android

Version

• 8.0
• 8.1
• 9.0
• 10.0

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion