Vulnerability Name:

CVE-2011-0680 (CCN-65125)

Assigned:2011-01-31
Published:2011-01-31
Updated:2017-08-17
Summary:data/WorkingMessage.java in the Mms application in Android before 2.2.2 and 2.3.x before 2.3.2 does not properly manage the draft cache, which allows remote attackers to read SMS messages intended for other recipients in opportunistic circumstances via a standard text messaging service.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: CONFIRM
Type: Patch
http://android.git.kernel.org/?p=platform/packages/apps/Mms.git;a=commit;h=18d6b7e9d2e538fb3c0264332b96c02abf367267

Source: MISC
Type: Patch
http://android.git.kernel.org/?p=platform/packages/apps/Mms.git;a=commit;h=4d26623ce82230e8e7009adb921c5edea370a9e0

Source: CONFIRM
Type: UNKNOWN
http://code.google.com/p/android/issues/detail?id=9392#c1460

Source: CONFIRM
Type: UNKNOWN
http://code.google.com/p/android/issues/detail?id=9392#c1620

Source: MITRE
Type: CNA
CVE-2011-0680

Source: MISC
Type: UNKNOWN
http://phandroid.com/2011/01/21/android-2-3-2-update-pushing-to-nexus-s-phone-fixes-sms-bug/

Source: MISC
Type: UNKNOWN
http://twitter.com/GalaxySsupport/statuses/28078194607263744

Source: MISC
Type: UNKNOWN
http://www.engadget.com/2011/01/22/nexus-one-gets-tiny-update-to-android-2-2-2-probably-fixes-sms/

Source: MISC
Type: UNKNOWN
http://www.htcphones.net/nexus-one-update-to-android-2-2-2/

Source: CCN
Type: Open Handset Alliance Web site
Android

Source: CCN
Type: OSVDB ID: 70744
Google Android Mms Application data/WorkingMessage.java Draft Cache SMS Message Remote Disclosure

Source: MISC
Type: UNKNOWN
http://www.samsunghub.com/2011/01/22/nexus-s-gets-android-2-3-2-fixes-sms-bug/

Source: BID
Type: UNKNOWN
46105

Source: CCN
Type: BID-46105
Open Handset Alliance Android 'data/WorkingMessage.java' Information Disclosure Vulnerability

Source: MISC
Type: Patch
http://www.theinquirer.net/inquirer/news/1939386/google-updates-nexus-android-222

Source: XF
Type: UNKNOWN
android-workingmessage-info-disclosure(65125)

Source: XF
Type: UNKNOWN
android-workingmessage-info-disclosure(65125)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:google:android:1.5:*:*:*:*:*:*:*
  • OR cpe:/o:google:android:1.6:*:*:*:*:*:*:*
  • OR cpe:/o:google:android:2.1:*:*:*:*:*:*:*
  • OR cpe:/o:google:android:2.2:rev1:*:*:*:*:*:*
  • OR cpe:/o:google:android:*:*:*:*:*:*:*:* (Version <= 2.2.1)
  • OR cpe:/o:google:android:2.3:rev1:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/o:google:android:2.2:*:*:*:*:*:*:*
  • OR cpe:/o:google:android:2.3:*:*:*:*:*:*:*
  • OR cpe:/o:google:android:2.3.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    google android 1.5
    google android 1.6
    google android 2.1
    google android 2.2 rev1
    google android *
    google android 2.3 rev1
    google android 2.2
    google android 2.3
    google android 2.3.1