Google Play Services SDK <18.0.2 pendingIntent mutability flaw
CVE-2022-2390 Published on August 12, 2022

Mutable pending intent in Google Play services SDK
Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps.

NVD

Vulnerability Analysis

CVE-2022-2390 is exploitable with local system access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a MAID Vulnerability?

The software does not properly protect an assumed-immutable element from being modified by an attacker. This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups.

CVE-2022-2390 has been classified to as a MAID vulnerability or weakness.


Products Associated with CVE-2022-2390

Want to know whenever a new CVE is published for Google Play Services Software Development Kit? stack.watch will email you.

Google Play Services Software Development Kit
 

Affected Versions

Google LLC Play Services SDK:

Exploit Probability

EPSS
0.04%
Percentile
11.84%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.