Security Vulnerabilities - CVEs Published In April 2021
In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-173421434
CVSS Score
5.5
EPSS Score
0.0
Published
2021-04-13
In pollOnce of ALooper.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-175074139
CVSS Score
7.8
EPSS Score
0.0
Published
2021-04-13
In rw_mfc_handle_read_op of rw_mfc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution via a malicious NFC packet with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-178725766
CVSS Score
9.8
EPSS Score
0.008
Published
2021-04-13
In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a paired device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174149901
CVSS Score
7.5
EPSS Score
0.016
Published
2021-04-13
In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173552790
CVSS Score
7.0
EPSS Score
0.0
Published
2021-04-13
In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171221090
CVSS Score
8.0
EPSS Score
0.0
Published
2021-04-13
The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.
CVSS Score
4.9
EPSS Score
0.002
Published
2021-04-13
An issue was discovered in Wind River VxWorks 7 before 21.03. A specially crafted packet may lead to buffer over-read on IKE.
CVSS Score
5.3
EPSS Score
0.001
Published
2021-04-13
An issue was discovered in Wind River VxWorks before 6.5. There is a possible heap overflow in dhcp client.
CVSS Score
9.8
EPSS Score
0.012
Published
2021-04-13
An issue was discovered in Wind River VxWorks through 6.8. There is a possible stack overflow in dhcp server.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-04-13