CVE-2019-15426

{"id": "CVE-2019-15426", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2019-11-14T17:15:21.537", "references": [{"url": "https://www.kryptowire.com/android-firmware-2019/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-610"}]}], "descriptions": [{"lang": "en", "value": "The Xiaomi 5S Plus Android device with a build fingerprint of Xiaomi/natrium/natrium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device."}, {"lang": "es", "value": "El dispositivo Xiaomi 5S Plus Android con una huella digital de compilaci\u00f3n de Xiaomi/natrium/natrium:6.0.1/MXB48T/7.1.5:user/release-keys, contiene una aplicaci\u00f3n preinstalada con un nombre de paquete de aplicaci\u00f3n com.miui.powerkeeper (versionCode=40000, versionName=4.0.00), que permite la modificaci\u00f3n de la configuraci\u00f3n inal\u00e1mbrica no autorizada por medio de un ataque de tipo confused deputy. Esta capacidad puede ser accedida mediante cualquier aplicaci\u00f3n ubicada en el dispositivo."}], "lastModified": "2019-11-25T15:25:28.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:mi:5s_plus_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "551579BD-7CC7-494D-BAF2-02996DFEF305"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mi:5s_plus:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3393560B-1A27-4739-A489-CA5D86585E57"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}