CVE-2022-29580

There exists a path traversal vulnerability in the Android Google Search app. This is caused by the incorrect usage of uri.getLastPathSegment. A symbolic encoded string can bypass the path logic to get access to unintended directories. An attacker can manipulate paths that could lead to code execution on the device. We recommend upgrading beyond version 13.41

CVSS v3 8.9 HIGH

8.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://support.google.com/faqs/answer/7496913?hl=en	Exploit Vendor Advisory
https://support.google.com/faqs/answer/7496913?hl=en	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:google_search:*:*:*:*:*:android:*:*

History

21 Nov 2024, 06:59

Type	Values Removed	Values Added
References	~~() https://support.google.com/faqs/answer/7496913?hl=en - Exploit, Vendor Advisory~~	() https://support.google.com/faqs/answer/7496913?hl=en - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.8~~	v2 : unknown v3 : 8.9

21 Jul 2023, 16:44

Type	Values Removed	Values Added
CWE	~~CWE-427~~	CWE-22

15 Dec 2022, 19:26

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-12-13 15:15

Updated : 2024-11-21 06:59

NVD link : CVE-2022-29580

Mitre link : CVE-2022-29580

CVE.ORG link : CVE-2022-29580

JSON object : View

Products Affected

google

google_search

CWE

CWE-427

Uncontrolled Search Path Element

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2022-29580", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2022-12-13T15:15:10.850", "references": [{"url": "https://support.google.com/faqs/answer/7496913?hl=en", "tags": ["Exploit", "Vendor Advisory"], "source": "cve-coordination@google.com"}, {"url": "https://support.google.com/faqs/answer/7496913?hl=en", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-427"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "There exists a path traversal vulnerability in the Android Google Search app. This is caused by the incorrect usage of uri.getLastPathSegment. A symbolic encoded string can bypass the path logic to get access to unintended directories. An attacker can manipulate paths that could lead to code execution on the device. We recommend upgrading beyond version 13.41"}, {"lang": "es", "value": "Existe una vulnerabilidad de path traversal en la aplicaci\u00f3n de Google Search de Android. Esto se debe al uso incorrecto de uri.getLastPathSegment. Una cadena codificada simb\u00f3lica puede omitir la l\u00f3gica de ruta para obtener acceso a directorios no deseados. Un atacante puede manipular rutas que podr\u00edan conducir a la ejecuci\u00f3n de c\u00f3digo en el dispositivo. Recomendamos actualizar m\u00e1s all\u00e1 de la versi\u00f3n 13.41"}], "lastModified": "2024-11-21T06:59:20.543", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:google_search:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "00F2556B-6E0B-4C39-933F-FFDB0E12B1C8", "versionEndExcluding": "13.41"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}