Sign-up

ID

VAR-201911-0583


CVE

CVE-2019-15467


TITLE

Xiaomi Mi Mix 2S Android Vulnerability related to externally controllable references to other domain resources on devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-012140

DESCRIPTION

The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=A2060_201801032053) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. Xiaomi Mi Mix 2S Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be tampered with. Xiaomi Mi Mix 2S is a smartphone from China Xiaomi Technology. The vulnerability stems from a network system or product that does not properly restrict access to resources from unauthorized roles. An attacker could exploit this vulnerability to allow unauthorized modification of wireless settings through confusing secondary attacks

Trust: 2.16

sources: NVD: CVE-2019-15467 // JVNDB: JVNDB-2019-012140 // CNVD: CNVD-2019-41691

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-41691

AFFECTED PRODUCTS

vendor:mimodel:mix 2sscope:eqversion: -

Trust: 2.2

vendor:xiaomimodel:mi mix 2sscope: - version: -

Trust: 0.8

vendor:xiaomimodel:mix 2s a2060 201801032053scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2019-41691 // JVNDB: JVNDB-2019-012140 // CNNVD: CNNVD-201911-971 // NVD: CVE-2019-15467

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15467
value: LOW

Trust: 1.0

NVD: CVE-2019-15467
value: LOW

Trust: 0.8

CNVD: CNVD-2019-41691
value: LOW

Trust: 0.6

CNNVD: CNNVD-201911-971
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-15467
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-41691
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-15467
baseSeverity: LOW
baseScore: 3.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2019-15467
baseSeverity: LOW
baseScore: 3.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-41691 // JVNDB: JVNDB-2019-012140 // CNNVD: CNNVD-201911-971 // NVD: CVE-2019-15467

PROBLEMTYPE DATA

problemtype:CWE-610

Trust: 1.8

sources: JVNDB: JVNDB-2019-012140 // NVD: CVE-2019-15467

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201911-971

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201911-971

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-012140

PATCH
title:Mi Mix 2Surl:https://www.mi.com/global/mix2s
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-012140

EXTERNAL IDS
db:NVDid:CVE-2019-15467
Trust: 3.0
db:JVNDBid:JVNDB-2019-012140
Trust: 0.8
db:CNVDid:CNVD-2019-41691
Trust: 0.6
db:CNNVDid:CNNVD-201911-971
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-41691 // 
            
            
            
            JVNDB: JVNDB-2019-012140 // 
            
            
            
            CNNVD: CNNVD-201911-971 // 
            
            
            
            NVD: CVE-2019-15467

REFERENCES
url:https://www.kryptowire.com/android-firmware-2019/
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-15467
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15467
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-41691 // 
            
            
            
            JVNDB: JVNDB-2019-012140 // 
            
            
            
            CNNVD: CNNVD-201911-971 // 
            
            
            
            NVD: CVE-2019-15467

SOURCES
db:CNVDid:CNVD-2019-41691
db:JVNDBid:JVNDB-2019-012140
db:CNNVDid:CNNVD-201911-971
db:NVDid:CVE-2019-15467

LAST UPDATE DATE
2024-11-23T23:04:35.844000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-41691date:2019-11-21T00:00:00
db:JVNDBid:JVNDB-2019-012140date:2019-11-26T00:00:00
db:CNNVDid:CNNVD-201911-971date:2019-12-02T00:00:00
db:NVDid:CVE-2019-15467date:2024-11-21T04:28:48.133

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-41691date:2019-11-21T00:00:00
db:JVNDBid:JVNDB-2019-012140date:2019-11-26T00:00:00
db:CNNVDid:CNNVD-201911-971date:2019-11-14T00:00:00
db:NVDid:CVE-2019-15467date:2019-11-14T17:15:24.193