CVE-2024-20837 (GCVE-0-2024-20837)

Vulnerability from cvelistv5 – Published: 2024-03-05 04:44 – Updated: 2024-08-01 22:06
VLAI?
Summary
Improper handling of granting permission for Trusted Web Activities in Samsung Internet prior to version 24.0.0.41 allows local attackers to grant permission to their own TWA WebApps without user interaction.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE
  • CWE-280 - Improper Handling of Insufficient Permissions or Privileges
Assigner
References
Impacted products
Vendor Product Version
Samsung Mobile Samsung Internet Unaffected: 24.0.0.41
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-20837",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-05T14:19:29.194271Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:39:52.242Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:06:36.497Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024\u0026month=03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Samsung Internet",
          "vendor": "Samsung Mobile",
          "versions": [
            {
              "status": "unaffected",
              "version": "24.0.0.41"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper handling of granting permission for Trusted Web Activities in Samsung Internet prior to version 24.0.0.41 allows local attackers to grant permission to their own TWA WebApps without user interaction."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-05T04:44:46.414Z",
        "orgId": "3af57064-a867-422c-b2ad-40307b65c458",
        "shortName": "SamsungMobile"
      },
      "references": [
        {
          "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024\u0026month=03"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458",
    "assignerShortName": "SamsungMobile",
    "cveId": "CVE-2024-20837",
    "datePublished": "2024-03-05T04:44:46.414Z",
    "dateReserved": "2023-12-05T04:57:52.535Z",
    "dateUpdated": "2024-08-01T22:06:36.497Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:samsung:internet:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"24.0.0.41\", \"matchCriteriaId\": \"4388DCBA-3C22-4E91-8D1D-757ECCF3A497\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improper handling of granting permission for Trusted Web Activities in Samsung Internet prior to version 24.0.0.41 allows local attackers to grant permission to their own TWA WebApps without user interaction.\"}, {\"lang\": \"es\", \"value\": \"El manejo inadecuado de la concesi\\u00f3n de permisos para actividades web confiables en Samsung Internet antes de la versi\\u00f3n 24.0.0.41 permite a atacantes locales otorgar permiso a sus propias aplicaciones web TWA sin interacci\\u00f3n del usuario.\"}]",
      "id": "CVE-2024-20837",
      "lastModified": "2024-12-23T16:29:57.827",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"mobile.security@samsung.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.4}]}",
      "published": "2024-03-05T05:15:11.150",
      "references": "[{\"url\": \"https://security.samsungmobile.com/serviceWeb.smsb?year=2024\u0026month=03\", \"source\": \"mobile.security@samsung.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://security.samsungmobile.com/serviceWeb.smsb?year=2024\u0026month=03\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "mobile.security@samsung.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-20837\",\"sourceIdentifier\":\"mobile.security@samsung.com\",\"published\":\"2024-03-05T05:15:11.150\",\"lastModified\":\"2024-12-23T16:29:57.827\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper handling of granting permission for Trusted Web Activities in Samsung Internet prior to version 24.0.0.41 allows local attackers to grant permission to their own TWA WebApps without user interaction.\"},{\"lang\":\"es\",\"value\":\"El manejo inadecuado de la concesi\u00f3n de permisos para actividades web confiables en Samsung Internet antes de la versi\u00f3n 24.0.0.41 permite a atacantes locales otorgar permiso a sus propias aplicaciones web TWA sin interacci\u00f3n del usuario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"mobile.security@samsung.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:samsung:internet:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"24.0.0.41\",\"matchCriteriaId\":\"4388DCBA-3C22-4E91-8D1D-757ECCF3A497\"}]}]}],\"references\":[{\"url\":\"https://security.samsungmobile.com/serviceWeb.smsb?year=2024\u0026month=03\",\"source\":\"mobile.security@samsung.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.samsungmobile.com/serviceWeb.smsb?year=2024\u0026month=03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-280: Improper Handling of Insufficient Permissions or Privileges\"}]}], \"affected\": [{\"vendor\": \"Samsung Mobile\", \"product\": \"Samsung Internet\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"24.0.0.41\"}], \"defaultStatus\": \"affected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper handling of granting permission for Trusted Web Activities in Samsung Internet prior to version 24.0.0.41 allows local attackers to grant permission to their own TWA WebApps without user interaction.\"}], \"references\": [{\"url\": \"https://security.samsungmobile.com/serviceWeb.smsb?year=2024\u0026month=03\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\", \"baseSeverity\": \"MEDIUM\", \"baseScore\": 5.3, \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\"}}], \"providerMetadata\": {\"orgId\": \"3af57064-a867-422c-b2ad-40307b65c458\", \"shortName\": \"SamsungMobile\", \"dateUpdated\": \"2024-03-05T04:44:46.414Z\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-20837\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-05T14:19:29.194271Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:14.958Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-20837\", \"assignerOrgId\": \"3af57064-a867-422c-b2ad-40307b65c458\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"SamsungMobile\", \"dateReserved\": \"2023-12-05T04:57:52.535Z\", \"datePublished\": \"2024-03-05T04:44:46.414Z\", \"dateUpdated\": \"2024-06-04T17:39:52.242Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.