CVE-2014-7922

EPSS 0.1%
Published 23.02.2015 02:59:00
Last modified 12.04.2025 10:46:40
Source chrome-cve-admin@google.com
Teams watchlist Login
Open Login

The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding _opt_ parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scopes including the SID and LSID scopes, and consequently obtain access to a Google account, via a crafted application, as demonstrated by setting the has_permission=1 parameter value upon finding _opt_has_permission in that argument.

Affected products Warnungen 0 Metrics 2 CWE 0 References 5

Data is provided by the National Vulnerability Database (NVD)

Google ≫ Play Services Sdk Version <= 6.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.24

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

http://isciurus.blogspot.com/2015/01/android-app-with-full-control-over-your.html

https://gist.github.com/isciurus/df4d7edd9c3efb4a0753

https://nvd.nist.gov/vuln/detail/CVE-2014-7922

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-7922

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-7922

EUVD