Details of VAR-202205-0076

ID

VAR-202205-0076

CVE

CVE-2022-28791

TITLE

Samsung Galaxy Store InstallAgent Input Validation Error Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2023-73899

DESCRIPTION

Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path. The patch adds proper protection to prevent overwrite to existing files. Samsung Galaxy Store is an application store for Samsung mobile devices. The vulnerability is caused by incorrect input validation logic in InstallAgent

Trust: 1.53

sources: NVD: CVE-2022-28791 // CNVD: CNVD-2023-73899 // VULMON: CVE-2022-28791

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-73899

AFFECTED PRODUCTS

vendor:

samsung

model:

galaxy store

scope:

version:

4.5.41.8

Trust: 1.6

sources: CNVD: CNVD-2023-73899 // NVD: CVE-2022-28791

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-28791
value:	MEDIUM
Trust: 1.0
mobile.security@samsung.com:	CVE-2022-28791
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2023-73899
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202205-1990
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2022-28791
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2022-28791
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2023-73899
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-28791
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
mobile.security@samsung.com:	CVE-2022-28791
baseSeverity:	MEDIUM
baseScore:	6.2
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.5
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2023-73899 // VULMON: CVE-2022-28791 // CNNVD: CNNVD-202205-1990 // NVD: CVE-2022-28791 // NVD: CVE-2022-28791

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.0

sources: NVD: CVE-2022-28791

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202205-1990

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202205-1990

PATCH

title:	Patch for Samsung Galaxy Store InstallAgent Input Validation Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/355981	Trust: 0.6
title:	Samsung Galaxy Store Enter the fix for the verification error vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=192399	Trust: 0.6

sources: CNVD: CNVD-2023-73899 // CNNVD: CNNVD-202205-1990

EXTERNAL IDS

db:	NVD	id:	CVE-2022-28791	Trust: 2.3
db:	CNVD	id:	CNVD-2023-73899	Trust: 0.6
db:	CNNVD	id:	CNNVD-202205-1990	Trust: 0.6
db:	VULMON	id:	CVE-2022-28791	Trust: 0.1

sources: CNVD: CNVD-2023-73899 // VULMON: CVE-2022-28791 // CNNVD: CNNVD-202205-1990 // NVD: CVE-2022-28791

REFERENCES

url:	https://security.samsungmobile.com/serviceweb.smsb?year=2022&month=5	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-28791	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-28791/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2023-73899 // VULMON: CVE-2022-28791 // CNNVD: CNNVD-202205-1990 // NVD: CVE-2022-28791

SOURCES

db:	CNVD	id:	CNVD-2023-73899
db:	VULMON	id:	CVE-2022-28791
db:	CNNVD	id:	CNNVD-202205-1990
db:	NVD	id:	CVE-2022-28791

LAST UPDATE DATE

2024-11-23T22:29:00.119000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-73899	date:	2023-09-29T00:00:00
db:	VULMON	id:	CVE-2022-28791	date:	2022-05-11T00:00:00
db:	CNNVD	id:	CNNVD-202205-1990	date:	2022-05-12T00:00:00
db:	NVD	id:	CVE-2022-28791	date:	2024-11-21T06:57:56.560

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-73899	date:	2022-10-13T00:00:00
db:	VULMON	id:	CVE-2022-28791	date:	2022-05-03T00:00:00
db:	CNNVD	id:	CNNVD-202205-1990	date:	2022-05-03T00:00:00
db:	NVD	id:	CVE-2022-28791	date:	2022-05-03T20:15:09.687