Information Disclosure Vulnerability in Android Wi-Fi Connectivity Service
CVE-2024-49734

7.5HIGH

Key Information:

Vendor
Google
Status
Android
Vendor
CVE Published:
21 January 2025

Summary

A vulnerability in the ConnectivityService class of Android can allow a Wi-Fi Access Point (AP) to infer which websites a device has accessed while connected through a VPN. This side channel information disclosure occurs due to inadequate handling of network traffic, potentially exposing sensitive user data without requiring additional privileges or user interaction.

Affected Version(s)

Android 15

Android 14

References

https://source.android.com/security/bulletin/2025-01-01

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.