Vulnerability Description
Multiple SQL injection vulnerabilities in the queryLastApp method in packages/WAPPushManager/src/com/android/smspush/WapPushManager.java in the WAPPushManager module in Android before 5.0.0 allow remote attackers to execute arbitrary SQL commands, and consequently launch an activity or service, via the (1) wapAppId or (2) contentType field of a PDU for a malformed WAPPush message, aka Bug 17969135.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Android | <= 4.4.4 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/129283/Android-WAPPushManager-SQL-InjectionExploit
- http://seclists.org/fulldisclosure/2014/Nov/86Exploit
- http://www.securityfocus.com/bid/71310
- http://xteam.baidu.com/?p=167Exploit
- https://android.googlesource.com/platform/frameworks/base/+/48ed835468c623590545Vendor Advisory
- http://packetstormsecurity.com/files/129283/Android-WAPPushManager-SQL-InjectionExploit
- http://seclists.org/fulldisclosure/2014/Nov/86Exploit
- http://www.securityfocus.com/bid/71310
- http://xteam.baidu.com/?p=167Exploit
- https://android.googlesource.com/platform/frameworks/base/+/48ed835468c623590545Vendor Advisory
FAQ
What is CVE-2014-8507?
CVE-2014-8507 is a vulnerability with a CVSS score of 7.5 (HIGH). Multiple SQL injection vulnerabilities in the queryLastApp method in packages/WAPPushManager/src/com/android/smspush/WapPushManager.java in the WAPPushManager module in Android before 5.0.0 allow remo...
How severe is CVE-2014-8507?
CVE-2014-8507 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-8507?
Check the references section above for vendor advisories and patch information. Affected products include: Google Android.