Vulnerability Description
The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Android | <= 4.4.4 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.Exploit
- http://seclists.org/fulldisclosure/2014/Nov/81Exploit
- http://xteam.baidu.com/?p=158Exploit
- https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b9Vendor Advisory
- http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.Exploit
- http://seclists.org/fulldisclosure/2014/Nov/81Exploit
- http://xteam.baidu.com/?p=158Exploit
- https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b9Vendor Advisory
FAQ
What is CVE-2014-8609?
CVE-2014-8609 is a vulnerability with a CVSS score of 7.2 (HIGH). The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers ...
How severe is CVE-2014-8609?
CVE-2014-8609 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-8609?
Check the references section above for vendor advisories and patch information. Affected products include: Google Android.