Sign-up

ID

VAR-201911-0440


CVE

CVE-2019-15475


TITLE

Xiaomi Mi A3 Access Control Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-41664 // CNNVD: CNNVD-201911-979

DESCRIPTION

The Xiaomi Mi A3 Android device with a build fingerprint of xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. Xiaomi Mi A3 Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be obtained. Xiaomi Mi A3 is a smartphone from China Xiaomi Technology. The access control error vulnerability exists in the com.qualcomm.qti.callenhancement app in Xiaomi Mi A3 (build fingerprint:xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keys). An attacker could use the vulnerability to make unauthorized microphone recordings with third-party software

Trust: 2.16

sources: NVD: CVE-2019-15475 // JVNDB: JVNDB-2019-012072 // CNVD: CNVD-2019-41664

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-41664

AFFECTED PRODUCTS

vendor:mimodel:a3scope:eqversion: -

Trust: 2.2

vendor:xiaomimodel:mi a3scope: - version: -

Trust: 1.4

sources: CNVD: CNVD-2019-41664 // JVNDB: JVNDB-2019-012072 // CNNVD: CNNVD-201911-979 // NVD: CVE-2019-15475

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15475
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-15475
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-41664
value: LOW

Trust: 0.6

CNNVD: CNNVD-201911-979
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-15475
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-41664
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-15475
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-15475
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-41664 // JVNDB: JVNDB-2019-012072 // CNNVD: CNNVD-201911-979 // NVD: CVE-2019-15475

PROBLEMTYPE DATA

problemtype:CWE-610

Trust: 1.8

sources: JVNDB: JVNDB-2019-012072 // NVD: CVE-2019-15475

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201911-979

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201911-979

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-012072

PATCH
title:Mi A3url:https://www.mi.com/global/mi-a3
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-012072

EXTERNAL IDS
db:NVDid:CVE-2019-15475
Trust: 3.0
db:JVNDBid:JVNDB-2019-012072
Trust: 0.8
db:CNVDid:CNVD-2019-41664
Trust: 0.6
db:CNNVDid:CNNVD-201911-979
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-41664 // 
            
            
            
            JVNDB: JVNDB-2019-012072 // 
            
            
            
            CNNVD: CNNVD-201911-979 // 
            
            
            
            NVD: CVE-2019-15475

REFERENCES
url:https://www.kryptowire.com/android-firmware-2019/
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-15475
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15475
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-41664 // 
            
            
            
            JVNDB: JVNDB-2019-012072 // 
            
            
            
            CNNVD: CNNVD-201911-979 // 
            
            
            
            NVD: CVE-2019-15475

SOURCES
db:CNVDid:CNVD-2019-41664
db:JVNDBid:JVNDB-2019-012072
db:CNNVDid:CNNVD-201911-979
db:NVDid:CVE-2019-15475

LAST UPDATE DATE
2024-11-23T22:21:24.748000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-41664date:2019-11-21T00:00:00
db:JVNDBid:JVNDB-2019-012072date:2019-11-25T00:00:00
db:CNNVDid:CNNVD-201911-979date:2019-11-20T00:00:00
db:NVDid:CVE-2019-15475date:2024-11-21T04:28:49.290

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-41664date:2019-11-21T00:00:00
db:JVNDBid:JVNDB-2019-012072date:2019-11-25T00:00:00
db:CNNVDid:CNNVD-201911-979date:2019-11-14T00:00:00
db:NVDid:CVE-2019-15475date:2019-11-14T17:15:24.727