Possible Security Bypass in NetworkManagementService.java
CVE-2017-13314

7.8HIGH

Key Information:

Vendor: Google
Status: Android
Vendor: CVE Published:; 15 November 2024

What is CVE-2017-13314?

A vulnerability exists in the NetworkManagementService.java within the Android operating system that allows a bypass of security settings. Specifically, the setAllowOnlyVpnForUids method lacks adequate permission checks, which results in the unintended ability for users to access non-VPN networks despite restrictions. This vulnerability does not require any user interaction to exploit and allows local escalation of privilege, compromising the network segregation intended for secure VPN use.

Affected Version(s)

Android 7

Android 8

Android 8.1

References

https://source.android.com/security/bulletin/2018-05-01

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Aug 23, 2017

Google

What is CVE-2017-13314?

Affected Version(s)

References

CVSS V3.1

Timeline