CVE-2021-33057 — HIGH (7.5)

Vulnerability Description

The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Tencent	Qq	8.7.1

Related Weaknesses (CWE)

CWE-862

References

https://arxiv.org/pdf/2205.15202.pdfTechnical DescriptionThird Party Advisory
https://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-PermissionsExploitThird Party Advisory
https://tencent.comVendor Advisory
https://arxiv.org/pdf/2205.15202.pdfTechnical DescriptionThird Party Advisory
https://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-PermissionsExploitThird Party Advisory
https://tencent.comVendor Advisory

FAQ

What is CVE-2021-33057?

CVE-2021-33057 is a vulnerability with a CVSS score of 7.5 (HIGH). The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker ca...

How severe is CVE-2021-33057?

CVE-2021-33057 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-33057?

Check the references section above for vendor advisories and patch information. Affected products include: Tencent Qq.