CVE-2014-8609 - Vulnerability Details - OpenCVE

The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00637.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Android

Configuration 1 [-]

OR	cpe:2.3:o:google:android::::::::
	cpe:2.3:o:google:android:4.0:::::::*
	cpe:2.3:o:google:android:4.0.1:::::::*
	cpe:2.3:o:google:android:4.0.2:::::::*
	cpe:2.3:o:google:android:4.0.3:::::::*
	cpe:2.3:o:google:android:4.0.4:::::::*
	cpe:2.3:o:google:android:4.1:::::::*
	cpe:2.3:o:google:android:4.1.2:::::::*
	cpe:2.3:o:google:android:4.2:::::::*
	cpe:2.3:o:google:android:4.2.1:::::::*
	cpe:2.3:o:google:android:4.2.2:::::::*
	cpe:2.3:o:google:android:4.3:::::::*
	cpe:2.3:o:google:android:4.3.1:::::::*
	cpe:2.3:o:google:android:4.4:::::::*
	cpe:2.3:o:google:android:4.4.1:::::::*
	cpe:2.3:o:google:android:4.4.2:::::::*
	cpe:2.3:o:google:android:4.4.3:::::::*

No data.

No data.

References

Link	Providers
http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html
http://seclists.org/fulldisclosure/2014/Nov/81
http://xteam.baidu.com/?p=158
https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-12-15T17:27:00.000Z

Updated: 2024-08-06T13:26:02.504Z

Reserved: 2014-11-04T00:00:00.000Z

Link: CVE-2014-8609

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-12-15T18:59:18.067

Modified: 2026-06-17T00:17:01.270

Link: CVE-2014-8609

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-11-26T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-12-14T06:57:00.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html"}, {"tags": ["x_refsource_MISC"], "url": "http://xteam.baidu.com/?p=158"}, {"name": "20141126 CVE-2014-8609 Android Settings application privilege leakage vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Nov/81"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-8609", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html"}, {"name": "http://xteam.baidu.com/?p=158", "refsource": "MISC", "url": "http://xteam.baidu.com/?p=158"}, {"name": "20141126 CVE-2014-8609 Android Settings application privilege leakage vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Nov/81"}, {"name": "https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7", "refsource": "CONFIRM", "url": "https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:26:02.504Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://xteam.baidu.com/?p=158"}, {"name": "20141126 CVE-2014-8609 Android Settings application privilege leakage vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Nov/81"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-8609", "datePublished": "2014-12-15T17:27:00.000Z", "dateReserved": "2014-11-04T00:00:00.000Z", "dateUpdated": "2024-08-06T13:26:02.504Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"affected": [{"affectedData": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "source": "cve@mitre.org"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "matchCriteriaId": "53885773-16E2-4D30-BBA4-43F928098515", "versionEndIncluding": "4.4.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "A39C31E3-75C0-4E92-A6B5-7D67B22E3449", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "BB318EA4-2908-4B91-8DBB-20008FDF528A", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "1F4E46A9-B652-47CE-92E8-01021E57724B", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "AB9B53C6-AE84-4A45-B83E-8E5CE44F7B93", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "36DD8E3F-6308-4680-B932-4CBD8E58A7FB", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "1DA9F0F7-D592-481E-884C-B1A94E702825", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "6CD857E7-B878-49F9-BDDA-93DDEBB0B42B", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "FBDABB6C-FFF9-4E79-9EF1-BDC0BBDEA9F1", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "A47AB858-36DE-4330-8CAC-1B46C5C8DA80", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "49413FF7-7910-4F74-B106-C3170612CB2A", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "matchCriteriaId": "A2467F65-A3B7-4E45-A9A5-E5A6EFD99D7B", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "A8882E50-7C49-4A99-91F2-DF979CF8BB2F", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "matchCriteriaId": "98C32982-095C-4628-9958-118A3D3A9CAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "8FC0FCEA-0B3D-43C1-AB62-4F9C880B4CA1", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "EC75ED04-B8C7-4CC0-AC64-AE2D9E0CDF5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "FC13D3EE-CC89-4883-8E3D-3FE25FB8CF42", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824."}, {"lang": "es", "value": "El m\u00e9todo addAccount en src/com/android/settings/accounts/AddAccountSettings.java en la aplicaci\u00f3n Settings en Android anterior a 5.0.0 no crea correctamente un PendingIntent, lo que permite a atacantes utilizar la uid SYSTEM para emitir un intento con informaci\u00f3n arbitraria de componentes, acciones o categor\u00edas a trav\u00e9s de un autenticador tercera parte en una aplicaci\u00f3n manipulada, tambi\u00e9n conocido como Bug 17356824."}], "id": "CVE-2014-8609", "lastModified": "2026-06-17T00:17:01.270", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-12-15T18:59:18.067", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Nov/81"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://xteam.baidu.com/?p=158"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Nov/81"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://xteam.baidu.com/?p=158"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}