CVE-2022-20199 in Androidinfo

Summary

by MITRE • 12/16/2022

In multiple locations of NfcService.java, there is a possible disclosure of NFC tags due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-199291025

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability described in CVE-2022-20199 represents a critical confused deputy problem within the Android NFC service implementation, specifically within the NfcService.java component. This issue stems from a fundamental flaw in how the system handles NFC tag operations, where legitimate NFC service processes can be manipulated by malicious actors to access NFC tag data that should remain restricted. The confused deputy vulnerability occurs when a trusted component is tricked into performing operations on behalf of an untrusted entity, creating an unauthorized data disclosure scenario.

The technical flaw manifests in multiple locations within the NfcService.java file where NFC tag access controls are improperly enforced. This allows for potential information disclosure through NFC tag data that should be protected from unauthorized access. The vulnerability specifically affects Android 13 systems and is identified by the Android ID A-199291025. The root cause lies in the improper validation of NFC tag operations and the lack of adequate access controls that would normally prevent unauthorized data access. This vulnerability is particularly concerning because it operates at the system level where NFC services are invoked, making it difficult to detect and exploit without proper system-level privileges.

The operational impact of this vulnerability extends beyond simple information disclosure, as it could potentially allow attackers to extract sensitive data from NFC tags that may contain personal information, authentication credentials, or other confidential data. The exploitation requires no additional execution privileges and does not need user interaction, making it particularly dangerous as it can be triggered automatically. This vulnerability affects the core NFC functionality of Android devices, potentially compromising all NFC-enabled operations and exposing users to unauthorized data access. The nature of NFC technology means that this vulnerability could be exploited in various scenarios including proximity-based attacks, where attackers could position themselves near NFC-enabled devices to exploit this flaw.

Security mitigations for this vulnerability should focus on implementing proper access controls and validation mechanisms within the NFC service components. The fix requires strengthening the permission checks and ensuring that NFC tag operations are properly validated before execution. This includes implementing proper input sanitization, enforcing strict access control policies, and ensuring that only authorized processes can access NFC tag data. The vulnerability aligns with CWE-284, which describes improper access control issues, and could potentially map to ATT&CK technique T1546.001 for privilege escalation through service manipulation. Organizations should ensure that their Android devices are updated with the latest security patches and that NFC functionality is properly monitored for unauthorized access attempts. Regular security audits of NFC service implementations should be conducted to identify potential confused deputy vulnerabilities and other access control issues.

Reservation

10/14/2021

Disclosure

12/16/2022

Moderation

accepted

CPE

ready

EPSS

0.00120

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!