// For flags

CVE-2022-23835

 

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a "concrete and exploitable risk.

** EN DISPUTA ** La aplicación Visual Voice Mail (VVM) versiones hasta el 2022-02-24 para Android, permite un acceso persistente si un atacante controla temporalmente una aplicación que presenta el permiso READ_SMS, y lee un mensaje de credenciales IMAP que (por diseño) no es mostrado a la víctima dentro de la aplicación de mensajería AOSP SMS/MMS. (A menudo, las credenciales IMAP pueden usarse para escuchar los mensajes de correo de voz enviados antes de que sea explotada la vulnerabilidad, además de los nuevos). NOTA: algunos vendedores caracterizan esto como un "riesgo concreto y explotable".

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-21 CVE Reserved
  • 2022-02-25 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • 2024-11-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
References (2)
URL Tag Source
https://www.kb.cert.org/vuls/id/383864 Third Party Advisory
URL Date SRC
https://gitlab.com/kop316/vvm-disclosure 2024-08-03
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Visual Voice Mail Project
Search vendor "Visual Voice Mail Project"
 Visual Voice Mail
Search vendor "Visual Voice Mail Project" for product "Visual Voice Mail"
 <= 2022-02-24
Search vendor "Visual Voice Mail Project" for product "Visual Voice Mail" and version " <= 2022-02-24"
android
Affected