Vulnerability Description
An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows. BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on Windows or MacOS. Bug is in a local arbitrary file read through a system service call. The impacted method runs with System admin privilege and if given the file name as parameter returns you the content of file. A malicious app using the affected method can then read the content of any system file which it is not authorized to read
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bluestacks | Bluestacks | <= 4.120 |
| Microsoft | Windows | - |
| Apple | Macos | - |
Related Weaknesses (CWE)
References
- https://support.bluestacks.com/hc/en-us/articles/360021469391-Release-NotesRelease NotesVendor Advisory
- https://support.bluestacks.com/hc/en-us/articles/360033484132-BlueStacks-fails-tPatchVendor Advisory
- https://support.bluestacks.com/hc/en-us/articles/360021469391-Release-NotesRelease NotesVendor Advisory
- https://support.bluestacks.com/hc/en-us/articles/360033484132-BlueStacks-fails-tPatchVendor Advisory
FAQ
What is CVE-2019-14220?
CVE-2019-14220 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows. BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on Windows ...
How severe is CVE-2019-14220?
CVE-2019-14220 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14220?
Check the references section above for vendor advisories and patch information. Affected products include: Bluestacks Bluestacks, Microsoft Windows, Apple Macos.