A vulnerability was found in Google Android on One/Nexus 5/5X/6/6P/7 2013/9/Player/Pixel C (Smartphone Operating System) and classified as problematic. Affected by this issue is an unknown code of the component Networking. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. CVE summarizes:

The networking component in Android before 2016-07-05 on Android One, Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus Player, and Pixel C devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 27532522.

The weakness was presented 07/06/2016 as Android Security Bulletin - July 2016 as confirmed security bulletin (Website). The advisory is shared for download at source.android.com. This vulnerability is handled as CVE-2016-3809 since 03/30/2016. The exploitation is known to be easy. The attack needs to be approached locally. A simple authentication is needed for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

Upgrading to version 2016-07-05 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

See 88897, 88898, 88899 and 88900 for similar entries.

Productinfo

Type

• Smartphone Operating System

Vendor

• Google

Name

• Android

License

• free

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion