CVE-2022-36872

Pending Intent hijacking vulnerability in SpayNotification in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.0 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=09	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:samsung:samsung_pay::::::android::*
	cpe:2.3:a:samsung:samsung_pay_kr::::::android::*

History

No history.

Information

Published : 2022-09-09 15:15

Updated : 2022-10-01 02:16

NVD link : CVE-2022-36872

Mitre link : CVE-2022-36872

CVE.ORG link : CVE-2022-36872

JSON object : View

Products Affected

samsung

samsung_pay
samsung_pay_kr

CWE

NVD-CWE-noinfo CWE-285

Improper Authorization

{"id": "CVE-2022-36872", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.0}, {"type": "Secondary", "source": "mobile.security@samsung.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.8}]}, "published": "2022-09-09T15:15:12.880", "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=09", "tags": ["Vendor Advisory"], "source": "mobile.security@samsung.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "mobile.security@samsung.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Pending Intent hijacking vulnerability in SpayNotification in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent."}, {"lang": "es", "value": "Una vulnerabilidad de secuestro de intenci\u00f3n pendiente en SpayNotification en Samsung Pay versiones anteriores a 5.0.63 para KR y 5.1.47 para Global, permite a atacantes acceder a archivos sin permiso por medio de una intenci\u00f3n impl\u00edcita"}], "lastModified": "2022-10-01T02:16:11.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:samsung:samsung_pay:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "656DC662-4AD9-4B86-97ED-97941C9A8193", "versionEndExcluding": "5.1.47"}, {"criteria": "cpe:2.3:a:samsung:samsung_pay_kr:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "E7775496-FCF2-486C-A37D-02B1E1549A71", "versionEndExcluding": "5.0.63"}], "operator": "OR"}]}], "sourceIdentifier": "mobile.security@samsung.com"}