Miggo Logo

CVE-2022-2390: Google Play Services SDK leads to apps having incorrectly set mutability flag

6

CVSS Score
3.1

Basic Information

EPSS Score
0.08939%
Published
8/13/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.google.android.gms:play-services-basementmaven< 18.0.218.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper PendingIntent mutability in notifications. Analysis of Google's standard notification patterns and the CWE-471 context indicates the NotificationCompatBuilder class (core to Play Services' notification handling) would contain the vulnerable PendingIntent creation logic. The functions building notifications and their content intents would show PendingIntent.get*() calls missing FLAG_IMMUTABLE in pre-18.0.2 versions. Runtime detection would observe these builder methods creating mutable intents when handling notification-related operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*pps **v*lop** wit* *oo*l* Pl*y S*rvi**s S*K in*orr**tly *** t** mut**ility *l** s*t to P*n*in*Int*nts t**t w*r* p*ss** to t** Noti*i**tion s*rvi**. *s *oo*l* Pl*y s*rvi**s S*K is so wi**ly us**, t*is *u* *****ts m*ny *ppli**tions. *or *n *ppli**tion

Reasoning

T** vuln*r**ility **nt*rs on improp*r P*n*in*Int*nt mut**ility in noti*i**tions. *n*lysis o* *oo*l*'s st*n**r* noti*i**tion p*tt*rns *n* t** *W*-*** *ont*xt in*i**t*s t** `Noti*i**tion*omp*t*uil**r` *l*ss (*or* to Pl*y S*rvi**s' noti*i**tion **n*lin*