CVE-2016-6910

{"id": "CVE-2016-6910", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2016-12-23T16:59:00.147", "references": [{"url": "http://www.kryptowire.com/disclosures/CVE-2016-6910/Factory_Resets_and_Obtaining_Notifications_on_Samsung_Android_Devices.pdf", "tags": ["Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/95092", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The non-existent notification listener vulnerability was introduced in the initial Android 5.0.2 builds for the Samsung Galaxy S6 Edge devices, but the vulnerability can persist on the device even after the device has been upgraded to an Android 5.1.1 or 6.0.1 build. The vulnerable system app gives a non-existent app the ability to read the notifications from the device, which a third-party app can utilize if it uses a package name of com.samsung.android.app.portalservicewidget. This vulnerability allows an unprivileged third-party app to obtain the text of the user's notifications, which tend to contain personal data."}, {"lang": "es", "value": "La vulnerabilidad de oyente de notificaci\u00f3n inexistente se introdujo en las primeras versiones de Android 5.0.2 para los dispositivos Samsung Galaxy S6 Edge, pero la vulnerabilidad puede persistir en el dispositivo incluso despu\u00e9s de que el dispositivo se haya actualizado a una versi\u00f3n de Android 5.1.1 o 6.0.1. La aplicaci\u00f3n del sistema vulnerable da a una aplicaci\u00f3n inexistente la capacidad de leer las notificaciones del dispositivo, que una aplicaci\u00f3n de terceros puede utilizar si usa un nombre de paquete de com.samsung.android.app.portalservicewidget. Esta vulnerabilidad permite que una aplicaci\u00f3n de terceros sin privilegios obtenga el texto de las notificaciones del usuario, que tienden a contener datos personales."}], "lastModified": "2016-12-28T02:59:31.780", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9915371-C730-41F7-B86E-7E4DE0DF5385"}, {"criteria": "cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1D94CDD-DE7B-444E-A3AE-AE9C9A779374"}, {"criteria": "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "691FA41B-C2CE-413F-ABB1-0B22CB322807"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}