Uninitialized Data Leads to Local Information Disclosure

CVE-2024-29745

5.5MEDIUM

Key Information

Vendor
Google
Status
Android
Vendor
CVE Published:
5 April 2024

Badges

😄 Trended👾 Exploit Exists📰 News Worthy

What is CVE-2024-29745?

CVE-2024-29745 is a vulnerability found in Google's software that arises from uninitialized data, potentially allowing for local information disclosure. When exploited, this vulnerability does not require any additional execution permissions or user interaction, making it easier for attackers to access sensitive information stored within the affected systems. Organizations utilizing the impacted software are at risk, as this could lead to unauthorized access to confidential data, impacting their overall security posture.

Technical Details

The core of CVE-2024-29745 lies in the inadequately initialized data segments within the software. This flaw can inadvertently expose sensitive information that should remain secure. Given its nature, the vulnerability does not necessitate elevated privileges, which means even regular users could potentially exploit it if they know where to look. The risk is compounded by the fact that no specific user interaction is required, making it insidious and difficult to detect.

Impact of the Vulnerability

  1. Unauthorized Information Access: The primary impact of this vulnerability is the potential for attackers to gain access to sensitive local information, which can include user credentials, personal data, or proprietary information.

  2. Increased Attack Surface: By exposing information without requiring elevated permissions or user interaction, this vulnerability broadens the potential attack surface, allowing malicious actors to exploit unsuspecting users and systems more easily.

  3. Reputation and Trust Erosion: Organizations impacted by this vulnerability may suffer reputational damage, especially if sensitive information is leaked, leading to a loss of user trust and potential financial consequences related to regulatory compliance and recovery efforts.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-29745 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Android = Android kernel

News Articles

favicon imageForbes

Samsung Issues Update Warning For Galaxy Smartphones As Google Confirms New Threat

Millions of Samsung Galaxy smartphones have a critical vulnerability with no fix…

6 months ago

favicon imageSpiceworks

Forensic Firms Exploit Pixel Android Zero Days - Spiceworks

Google has patched two zero-day vulnerabilities in Pixel smartphones that were being exploited by forensic firms. Find out more.

9 months ago

favicon imageCybersecurityNews

Google Pixel Phone Zero-days Exploited by Forensic Firms in the Wild : Patch Now

The Pixel Update Bulletin details security vulnerabilities and functional improvements for supported Pixel devices.

9 months ago

Refferences

https://source.android.com/security/bulletin/pixel/2024-0...

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability started trending

  • Vulnerability published

  • CISA Reported

  • 👾

    Exploit known to exist

  • First article discovered by Gizchina.com

Collectors

NVD DatabaseMitre DatabaseCISA Database12 News Article(s)
.