6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2390

GHSA ID

GHSA-cm6r-892j-jv2g

EPSS Score

0.08939%

CWE

CWE-471

Published

8/13/2022

Updated

1/30/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2390

CVE-2022-2390: Google Play Services SDK leads to apps having incorrectly set mutability flag

Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let the attacker, gain the access to all non-exported providers and/or gain the access to other providers the victim has permissions. We recommend upgrading to version 18.0.2 of the Play Service SDK as well as rebuilding and redeploying apps.

(GitHub Advisory)

6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2390

GHSA ID

GHSA-cm6r-892j-jv2g

EPSS Score

0.08939%

CWE

CWE-471

Published

8/13/2022

Updated

1/30/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.google.android.gms:play-services-basement	maven	< 18.0.2	18.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on improper PendingIntent mutability in notifications. Analysis of Google's standard notification patterns and the CWE-471 context indicates the NotificationCompatBuilder class (core to Play Services' notification handling) would contain the vulnerable PendingIntent creation logic. The functions building notifications and their content intents would show PendingIntent.get*() calls missing FLAG_IMMUTABLE in pre-18.0.2 versions. Runtime detection would observe these builder methods creating mutable intents when handling notification-related operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*pps **v*lop** wit* *oo*l* Pl*y S*rvi**s S*K in*orr**tly *** t** mut**ility *l** s*t to P*n*in*Int*nts t**t w*r* p*ss** to t** Noti*i**tion s*rvi**. *s *oo*l* Pl*y s*rvi**s S*K is so wi**ly us**, t*is *u* *****ts m*ny *ppli**tions. *or *n *ppli**tion

Reasoning

T** vuln*r**ility **nt*rs on improp*r P*n*in*Int*nt mut**ility in noti*i**tions. *n*lysis o* *oo*l*'s st*n**r* noti*i**tion p*tt*rns *n* t** *W*-*** *ont*xt in*i**t*s t** `Noti*i**tion*omp*t*uil**r` *l*ss (*or* to Pl*y S*rvi**s' noti*i**tion **n*lin*

6

Basic Information

Concerned about an active attack path?

CVE-2022-2390: Google Play Services SDK leads to apps having incorrectly set mutability flag

6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI