CVE-2015-3854 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

packages/SystemUI/src/com/android/systemui/power/PowerNotificationWarnings.java in Android 5.x allows attackers to bypass a DEVICE_POWER permission requirement via a broadcast intent with the PNW.stopSaver action, aka internal bug 20918350.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Google	Android	5.0

Related Weaknesses (CWE)

CWE-284

References

http://seclists.org/fulldisclosure/2016/May/71Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2016/May/72Mailing ListThird Party Advisory
https://android.googlesource.com/platform/frameworks/base/+/05e0705177d2078fa9f9Issue TrackingPatch
http://seclists.org/fulldisclosure/2016/May/71Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2016/May/72Mailing ListThird Party Advisory
https://android.googlesource.com/platform/frameworks/base/+/05e0705177d2078fa9f9Issue TrackingPatch

FAQ

What is CVE-2015-3854?

CVE-2015-3854 is a vulnerability with a CVSS score of 7.5 (HIGH). packages/SystemUI/src/com/android/systemui/power/PowerNotificationWarnings.java in Android 5.x allows attackers to bypass a DEVICE_POWER permission requirement via a broadcast intent with the PNW.stop...

How severe is CVE-2015-3854?

CVE-2015-3854 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-3854?

Check the references section above for vendor advisories and patch information. Affected products include: Google Android.