CVE-2017-13314

In setAllowOnlyVpnForUids of NetworkManagementService.java, there is a possible security settings bypass due to a missing permission check. This could lead to local escalation of privilege allowing users to access non-VPN networks, when they are supposed to be restricted to the VPN networks, with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://source.android.com/security/bulletin/2018-05-01

Configurations

No configuration.

History

19 Nov 2024, 16:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		CWE-276

18 Nov 2024, 17:11

Type	Values Removed	Values Added
Summary		(es) En setAllowOnlyVpnForUids de NetworkManagementService.java, existe una posible omisión de la configuración de seguridad debido a la falta de una verificación de permisos. Esto podría provocar una escalada local de privilegios que permita a los usuarios acceder a redes que no sean VPN, cuando se supone que deben estar restringidos a las redes VPN, sin necesidad de privilegios de ejecución adicionales. No se necesita la interacción del usuario para la explotación.

15 Nov 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 22:15

Updated : 2024-11-19 16:35

NVD link : CVE-2017-13314

Mitre link : CVE-2017-13314

CVE.ORG link : CVE-2017-13314

JSON object : View

Products Affected

No product.

CWE

CWE-276

Incorrect Default Permissions

7.8 /10