CVE-2009-1754

CVSS V2 Medium 4.3 CVSS V3 None

Description

The PackageManagerService class in services/java/com/android/server/PackageManagerService.java in Android 1.5 through 1.5 CRB42 does not properly check developer certificates during processing of sharedUserId requests at an application's installation time, which allows remote user-assisted attackers to access application data by creating a package that specifies a shared user ID with an arbitrary application.

Overview

CVE ID
CVE-2009-1754

Assigner
cve@mitre.org

Vulnerability Status
Analyzed

Published Version
2009-05-26T15:30:05

Last Modified Date
2012-02-29T05:00:00

Weakness Enumerations

CWE	URL
CWE-287	http://cwe.mitre.org/data/definitions/287.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:o:google:android:1.5:::::::*	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector
NETWORK

Access Compatibility
MEDIUM

Authentication
NONE

Confidentiality Impact
PARTIAL

Integrity Impact
NONE

Availability Impact
NONE

Base Score
4.3

Severity
MEDIUM

Exploitability Score
8.6

Impact Score
2.9

References

Reference URL	Reference Tags
http://www.ocert.org/advisories/ocert-2009-006.html	Patch
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=5d6d773fab559fdc12e553d60d789f3991ac552c	Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2009/05/22/14
http://www.securityfocus.com/archive/1/503770
http://www.securityfocus.com/bid/35090

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2009-1754
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1754

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 10:56:02				Added to TrackCVE