Details of VAR-201911-0439

ID

VAR-201911-0439

CVE

CVE-2019-15474

TITLE

Xiaomi Cepheus Access Control Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-41663 // CNNVD: CNNVD-201911-980

DESCRIPTION

The Xiaomi Cepheus Android device with a build fingerprint of Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. Xiaomi Cepheus Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be obtained. Xiaomi Cepheus is a smartphone from China Xiaomi Technology. The access control error vulnerability exists in the com.qualcomm.qti.callenhancement app in Xiaomi Cepheus (build fingerprint: Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keys). An attacker could use the vulnerability to make unauthorized microphone recordings with third-party software

Trust: 2.25

sources: NVD: CVE-2019-15474 // JVNDB: JVNDB-2019-012071 // CNVD: CNVD-2019-41663 // VULMON: CVE-2019-15474

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-41663

AFFECTED PRODUCTS

vendor:	mi	model:	cepheus	scope:	eq	version:	-	Trust: 2.2
vendor:	xiaomi	model:	cepheus	scope:	-	version:	-	Trust: 1.4

sources: CNVD: CNVD-2019-41663 // JVNDB: JVNDB-2019-012071 // CNNVD: CNNVD-201911-980 // NVD: CVE-2019-15474

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15474
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-15474
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-41663
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201911-980
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2019-15474
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-15474
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-41663
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-15474
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-15474
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-41663 // VULMON: CVE-2019-15474 // JVNDB: JVNDB-2019-012071 // CNNVD: CNNVD-201911-980 // NVD: CVE-2019-15474

PROBLEMTYPE DATA

problemtype:

CWE-610

Trust: 1.8

sources: JVNDB: JVNDB-2019-012071 // NVD: CVE-2019-15474

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201911-980

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201911-980

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-012071

PATCH

title:

Top Page

url:

https://www.mi.com/global

Trust: 0.8

sources: JVNDB: JVNDB-2019-012071

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15474	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-012071	Trust: 0.8
db:	CNVD	id:	CNVD-2019-41663	Trust: 0.6
db:	CNNVD	id:	CNNVD-201911-980	Trust: 0.6
db:	VULMON	id:	CVE-2019-15474	Trust: 0.1

sources: CNVD: CNVD-2019-41663 // VULMON: CVE-2019-15474 // JVNDB: JVNDB-2019-012071 // CNNVD: CNNVD-201911-980 // NVD: CVE-2019-15474

REFERENCES

url:	https://www.kryptowire.com/android-firmware-2019/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15474	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15474	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/610.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2019-41663 // VULMON: CVE-2019-15474 // JVNDB: JVNDB-2019-012071 // CNNVD: CNNVD-201911-980 // NVD: CVE-2019-15474

SOURCES

db:	CNVD	id:	CNVD-2019-41663
db:	VULMON	id:	CVE-2019-15474
db:	JVNDB	id:	JVNDB-2019-012071
db:	CNNVD	id:	CNNVD-201911-980
db:	NVD	id:	CVE-2019-15474

LAST UPDATE DATE

2024-11-23T23:08:13.393000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-41663	date:	2019-11-21T00:00:00
db:	VULMON	id:	CVE-2019-15474	date:	2019-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-012071	date:	2019-11-25T00:00:00
db:	CNNVD	id:	CNNVD-201911-980	date:	2019-11-20T00:00:00
db:	NVD	id:	CVE-2019-15474	date:	2024-11-21T04:28:49.147

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-41663	date:	2019-11-21T00:00:00
db:	VULMON	id:	CVE-2019-15474	date:	2019-11-14T00:00:00
db:	JVNDB	id:	JVNDB-2019-012071	date:	2019-11-25T00:00:00
db:	CNNVD	id:	CNNVD-201911-980	date:	2019-11-14T00:00:00
db:	NVD	id:	CVE-2019-15474	date:	2019-11-14T17:15:24.677