Vulnerability Description
The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a "concrete and exploitable risk.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Visual Voice Mail Project | Visual Voice Mail | <= 2022-02-24 |
Related Weaknesses (CWE)
References
- https://gitlab.com/kop316/vvm-disclosureExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/383864Third Party AdvisoryUS Government Resource
- https://gitlab.com/kop316/vvm-disclosureExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/383864Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2022-23835?
CVE-2022-23835 is a vulnerability with a CVSS score of 8.1 (HIGH). The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP c...
How severe is CVE-2022-23835?
CVE-2022-23835 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23835?
Check the references section above for vendor advisories and patch information. Affected products include: Visual Voice Mail Project Visual Voice Mail.