CVE-2014-7922

EPSS 0.1%
Veröffentlicht 23.02.2015 02:59:00
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle chrome-cve-admin@google.com
Teams Watchlist Login
Unerledigt Login

The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding _opt_ parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scopes including the SID and LSID scopes, and consequently obtain access to a Google account, via a crafted application, as demonstrated by setting the has_permission=1 parameter value upon finding _opt_has_permission in that argument.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Play Services Sdk Version <= 6.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.24

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

http://isciurus.blogspot.com/2015/01/android-app-with-full-control-over-your.html

https://gist.github.com/isciurus/df4d7edd9c3efb4a0753

https://nvd.nist.gov/vuln/detail/CVE-2014-7922

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-7922

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-7922

EUVD