| Vulnerability Name: | CVE-2015-3837 (CCN-105782) | ||||||||
| Assigned: | 2015-08-10 | ||||||||
| Published: | 2015-08-10 | ||||||||
| Updated: | 2015-10-01 | ||||||||
| Summary: | The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certificate.java in Android before 5.1.1 LMY48I improperly includes certain context data during serialization and deserialization, which allows attackers to execute arbitrary code via an application that sends a crafted Intent, aka internal bug 21437603. | ||||||||
| CVSS v3 Severity: | 9.6 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) 8.6 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
| ||||||||
| CVSS v2 Severity: | 9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
| ||||||||
| Vulnerability Type: | CWE-20 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: CCN Type: Google Web site Android Source: MITRE Type: CNA CVE-2015-3837 Source: CONFIRM Type: Vendor Advisory https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540 Source: XF Type: UNKNOWN google-android-cve20153837-code-exec(105782) Source: MLIST Type: Vendor Advisory [android-security-updates] 20150812 Nexus Security Bulletin (August 2015) Source: CCN Type: Security Intelligence Web site One Class to Rule Them All: New Android Serialization Vulnerability Gives Underprivileged Apps Super Status Source: CCN Type: WhiteSource Vulnerability Database CVE-2015-3837 | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||