Sign-up

ID

VAR-201812-0108


CVE

CVE-2018-14986


TITLE

Leagoo Z5C Android Information disclosure vulnerability in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-014507

DESCRIPTION

The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed app with a package name of com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) containing an exported content provider named com.android.messaging.datamodel.MessagingContentProvider. Any app co-located on the device can read the most recent text message from each conversation. That is, for each phone number where the user has either sent or received a text message from, a zero-permission third-party app can obtain the body of the text message, phone number, name of the contact (if it exists), and a timestamp for the most recent text message of each conversation. As the querying of the vulnerable content provider app component can be performed silently in the background, a malicious app can continuously monitor the content provider to see if the current message in each conversation has changed to obtain new text messages. Leagoo Z5C Android The device contains an information disclosure vulnerability.Information may be obtained. Leagoo Z5C is a smart phone based on Android platform produced by Leagoo Malaysia

Trust: 1.71

sources: NVD: CVE-2018-14986 // JVNDB: JVNDB-2018-014507 // VULHUB: VHN-125200

AFFECTED PRODUCTS

vendor:leagoomodel:z5cscope:eqversion: -

Trust: 1.0

vendor:leagoo globalmodel:z5cscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2018-014507 // NVD: CVE-2018-14986

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-14986
value: HIGH

Trust: 1.0

NVD: CVE-2018-14986
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201812-1249
value: MEDIUM

Trust: 0.6

VULHUB: VHN-125200
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-14986
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125200
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-14986
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-125200 // JVNDB: JVNDB-2018-014507 // CNNVD: CNNVD-201812-1249 // NVD: CVE-2018-14986

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-125200 // JVNDB: JVNDB-2018-014507 // NVD: CVE-2018-14986

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201812-1249

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-014507

PATCH
title:Top Pageurl:https://www.leagoo.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-014507

EXTERNAL IDS
db:NVDid:CVE-2018-14986
Trust: 2.5
db:JVNDBid:JVNDB-2018-014507
Trust: 0.8
db:CNNVDid:CNNVD-201812-1249
Trust: 0.7
db:VULHUBid:VHN-125200
Trust: 0.1
sources:
            
            
            VULHUB: VHN-125200 // 
            
            
            
            JVNDB: JVNDB-2018-014507 // 
            
            
            
            CNNVD: CNNVD-201812-1249 // 
            
            
            
            NVD: CVE-2018-14986

REFERENCES
url:https://www.kryptowire.com/portal/wp-content/uploads/2018/12/defcon-26-johnson-and-stavrou-vulnerable-out-of-the-box-an-eval-of-android-carrier-devices-wp-updated.pdf
Trust: 2.5
url:https://www.kryptowire.com/portal/android-firmware-defcon-2018/
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14986
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-14986
Trust: 0.8
sources:
            
            
            VULHUB: VHN-125200 // 
            
            
            
            JVNDB: JVNDB-2018-014507 // 
            
            
            
            CNNVD: CNNVD-201812-1249 // 
            
            
            
            NVD: CVE-2018-14986

SOURCES
db:VULHUBid:VHN-125200
db:JVNDBid:JVNDB-2018-014507
db:CNNVDid:CNNVD-201812-1249
db:NVDid:CVE-2018-14986

LAST UPDATE DATE
2024-11-23T21:52:38.217000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-125200date:2019-02-14T00:00:00
db:JVNDBid:JVNDB-2018-014507date:2019-03-25T00:00:00
db:CNNVDid:CNNVD-201812-1249date:2019-02-18T00:00:00
db:NVDid:CVE-2018-14986date:2024-11-21T03:50:15.450

SOURCES RELEASE DATE
db:VULHUBid:VHN-125200date:2018-12-28T00:00:00
db:JVNDBid:JVNDB-2018-014507date:2019-03-25T00:00:00
db:CNNVDid:CNNVD-201812-1249date:2018-12-29T00:00:00
db:NVDid:CVE-2018-14986date:2018-12-28T21:29:00.433