Vulnerability CVE-2016-6702

Vulnerability Name:

CVE-2016-6702 (CCN-119494)

Assigned:

2016-11-17

Published:

2016-11-17

Updated:

2016-12-06

Summary:

A remote code execution vulnerability in libjpeg in Android 4.x before 4.4.4, 5.0.x before 5.0.2, and 5.1.x before 5.1.1 could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses libjpeg. Android ID: A-30259087.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-284

Vulnerability Consequences:

Gain Access

References:

Source: CCN
Type: Google Web site
Android

Source: MITRE
Type: CNA
CVE-2016-6702

Source: BID
Type: Third Party Advisory, VDB Entry
94160

Source: CCN
Type: BID-94160
Google Android libjpeg CVE-2016-6702 Remote Code Execution Vulnerability

Source: XF
Type: UNKNOWN
android-cve20166702-code-exec(119494)

Source: CCN
Type: Android Open Source Project
Android Security BulletinNovember 2016

Source: CONFIRM
Type: Vendor Advisory
https://source.android.com/security/bulletin/2016-11-01.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-6702

Vulnerable Configuration:

Configuration 1:

cpe:/o:google:android:4.0:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.0.1:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.0.2:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.0.3:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.0.4:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.1:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.1.2:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.2:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.2.1:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.2.2:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.3:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.3.1:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.4:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.4.1:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.4.2:*:*:*:*:*:*:*

OR cpe:/o:google:android:4.4.3:*:*:*:*:*:*:*

OR cpe:/o:google:android:5.0:*:*:*:*:*:*:*

OR cpe:/o:google:android:5.0.1:*:*:*:*:*:*:*

OR cpe:/o:google:android:5.1:*:*:*:*:*:*:*

OR cpe:/o:google:android:5.1.0:*:*:*:*:*:*:*

Configuration CCN 1: