CVE-2018-9493

Description

In the content provider of the download manager, there is a possible SQL injection due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-111085900

References

Link	Tags
https://source.android.com/security/bulletin/2018-10-01%2C
https://android.googlesource.com/platform/frameworks/base/+/ebc250d16c747f4161167b5ff58b3aea88b37acf	third party advisory patch
http://www.securityfocus.com/bid/105484	vdb entry third party advisory
https://android.googlesource.com/platform/frameworks/base/+/462aaeaa616e0bb1342e8ef7b472acc0cbc93deb%2C
https://android.googlesource.com/platform/packages/providers/DownloadProvider/+/e7364907439578ce5334bce20bb03fef2e88b107%2C

Frequently Asked Questions

What is the severity of CVE-2018-9493?: CVE-2018-9493 has been scored as a medium severity vulnerability.
How to fix CVE-2018-9493?: To fix CVE-2018-9493, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2018-9493 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2018-9493 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2018-9493?: CVE-2018-9493 affects Google Inc. Android.

Description

Category

CWE-89 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References

Frequently Asked Questions