#VU45401 Input validation error in Google Android - CVE-2011-0680
Published: January 31, 2011 / Updated: August 11, 2020
Vulnerability identifier: #VU45401
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2011-0680
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Google Android
Google Android
Software vendor:
Google
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
data/WorkingMessage.java in the Mms application in Android before 2.2.2 and 2.3.x before 2.3.2 does not properly manage the draft cache, which allows remote attackers to read SMS messages intended for other recipients in opportunistic circumstances via a standard text messaging service.
Remediation
Install update from vendor's website.
External links
- http://android.git.kernel.org/?p=platform/packages/apps/Mms.git;a=commit;h=18d6b7e9d2e538fb3c0264332b96c02abf367267
- http://android.git.kernel.org/?p=platform/packages/apps/Mms.git;a=commit;h=4d26623ce82230e8e7009adb921c5edea370a9e0
- http://code.google.com/p/android/issues/detail?id=9392#c1460
- http://code.google.com/p/android/issues/detail?id=9392#c1620
- http://phandroid.com/2011/01/21/android-2-3-2-update-pushing-to-nexus-s-phone-fixes-sms-bug/
- http://twitter.com/GalaxySsupport/statuses/28078194607263744
- http://www.engadget.com/2011/01/22/nexus-one-gets-tiny-update-to-android-2-2-2-probably-fixes-sms/
- http://www.htcphones.net/nexus-one-update-to-android-2-2-2/
- http://www.samsunghub.com/2011/01/22/nexus-s-gets-android-2-3-2-fixes-sms-bug/
- http://www.securityfocus.com/bid/46105
- http://www.theinquirer.net/inquirer/news/1939386/google-updates-nexus-android-222
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65125