Google Android up to 4.4.3/5.0.1/5.1.0/6.x Proxy Auto-Config PacProxySelector.java Credentials input validation

Summaryinfo

A vulnerability has been found in Google Android up to 4.4.3/5.0.1/5.1.0/6.x and classified as problematic. This affects an unknown part of the file net/PacProxySelector.java of the component Proxy Auto-Config. Performing a manipulation results in input validation (Credentials). This vulnerability is cataloged as CVE-2016-3763. The attack must be initiated from a local position. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as problematic, was found in Google Android up to 4.4.3/5.0.1/5.1.0/6.x (Smartphone Operating System). This affects an unknown part of the file net/PacProxySelector.java of the component Proxy Auto-Config. The manipulation with an unknown input leads to a input validation vulnerability (Credentials). CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality. The summary by CVE is:

net/PacProxySelector.java in the Proxy Auto-Config (PAC) feature in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01 does not ensure that URL information is restricted to a scheme, host, and port, which allows remote attackers to discover credentials by operating a server with a PAC script, aka internal bug 27593919.

The weakness was shared 07/06/2016 as Android Security Bulletin - July 2016 as confirmed security bulletin (Website). It is possible to read the advisory at source.android.com. This vulnerability is uniquely identified as CVE-2016-3763 since 03/30/2016. Attacking locally is a requirement. A authentication is necessary for exploitation. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 4.4.4, 5.0.2, 5.1.1 or 6.0 2016-07-01 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The entries VDB-88897, VDB-88898, VDB-88899 and VDB-88900 are related to this item. Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Smartphone Operating System

Vendor

• Google

Name

• Android

Version

• 1.0
• 1.1
• 1.5
• 1.6
• 2.0
• 2.0.1
• 2.1
• 2.2
• 2.2.1
• 2.2.2
• 2.2.3
• 2.3
• 2.3.1
• 2.3.2
• 2.3.3
• 2.3.4
• 2.3.5
• 2.3.6
• 2.3.7
• 3.0
• 3.1
• 3.2
• 3.2.1
• 3.2.2
• 3.2.3
• 3.2.4
• 3.2.5
• 3.2.6
• 4.0
• 4.0.1
• 4.0.2
• 4.0.3
• 4.0.4
• 4.1
• 4.1.1
• 4.1.2
• 4.2
• 4.2.1
• 4.2.2
• 4.3
• 4.3.1
• 4.4
• 4.4.1
• 4.4.2
• 4.4.3
• 4.4.4
• 5.0
• 5.0.1
• 5.1.0
• 6.x

License

• free

Website

• Vendor: https://www.google.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion