Security Bulletin

Summary
  • Security CVES
  • High CVE-2023-40638
  • Medium CVE-2023-40631,CVE-2023-40632,CVE-2023-40633,CVE-2023-40634,CVE-2023-40635,CVE-2023-40636,CVE-2023-40637,CVE-2023-40639,CVE-2023-40640,CVE-2023-40641,CVE-2023-40642,CVE-2023-40643,CVE-2023-40644,CVE-2023-40645,CVE-2023-40646,CVE-2023-40647,CVE-2023-40648,CVE-2023-40649,CVE-2023-40650,CVE-2023-40651,CVE-2023-40652,CVE-2023-40653,CVE-2023-40654
Minutia
  • CVE ID CVE-2023-40631
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Dialer
  • Description

    In Dialer, there is a possible missing permission check. This could lead to local information disclosure with System execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android10/Android11/Android12

  • CVE ID CVE-2023-40632
  • Title Use After Free in jpg driver
  • Description

    In jpg driver, there is a possible use after free due to a logic error. This could lead to remote information disclosure no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type cwe-416 Use After Free
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 6.7
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Affected Chipsets*

    T606/T612/T616

  • Affected Software Versions

    Android13

  • CVE ID CVE-2023-40633
  • Title Exposure of Sensitive Information to an Unauthorized Actor in phasecheckserver
  • Description

    In phasecheckserver, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android11/Android12/Android13

  • CVE ID CVE-2023-40634
  • Title Exposure of Sensitive Information to an Unauthorized Actor in phasechecksercer
  • Description

    In phasechecksercer, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android11/Android12/Android13

  • CVE ID CVE-2023-40635
  • Title Missing Authorization in linkturbo
  • Description

    In linkturbo, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type cwe-862 Missing Authorization
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • Affected Chipsets*

    SC9863A/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android11

  • CVE ID CVE-2023-40636
  • Title Comparison Logic is Vulnerable to Power Side-Channel Attacks in telecom service
  • Description

    In telecom service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with System execution privileges needed.

  • Technology Area Android
  • Vulnerability Type cwe-1255Comparison Logic is VulnerabletoPowerSide-ChannelAttacks
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    T760/T770/T820/S8000

  • Affected Software Versions

    Android11

  • CVE ID CVE-2023-40637
  • Title Exposure of Sensitive Information to an Unauthorized Actor in telecom service
  • Description

    In telecom service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android11

  • CVE ID CVE-2023-40638
  • Title Missing Authorization in Telecom service
  • Description

    In Telecom service, there is a possible missing permission check. This could lead to local denial of service with System execution privileges needed.

  • Technology Area Android
  • Vulnerability Type cwe-862 Missing Authorization
  • Access Vector Local
  • CVSS Rating High
  • CVSS Score 7.1
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
  • Affected Chipsets*

    T760/T770/T820/S8000

  • Affected Software Versions

    Android11

  • CVE ID CVE-2023-40639
  • Title Improper Access Control in SoundRecorder service
  • Description

    In SoundRecorder service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges

  • Technology Area Android
  • Vulnerability Type cwe-284 Improper Access Control
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 5.9
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android10

  • CVE ID CVE-2023-40640
  • Title Improper Access Control in SoundRecorder service
  • Description

    In SoundRecorder service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges

  • Technology Area Android
  • Vulnerability Type cwe-284 Improper Access Control
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 5.9
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android10

  • CVE ID CVE-2023-40641
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Messaging
  • Description

    In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC9863A

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40642
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Messaging
  • Description

    In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC9863A

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40643
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Messaging
  • Description

    In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC9863A

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40644
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Messaging
  • Description

    In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC9863A

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40645
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Messaging
  • Description

    In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC9863A

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40646
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Messaging
  • Description

    In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC9863A

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40647
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Messaging
  • Description

    In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 6.2
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Affected Chipsets*

    SC9863A

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40648
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Messaging
  • Description

    In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Affected Chipsets*

    SC9863A

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40649
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Messaging
  • Description

    In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 6.2
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Affected Chipsets*

    SC9863A

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40650
  • Title Exposure of Sensitive Information to an Unauthorized Actor in Telecom service
  • Description

    In Telecom service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-200Exposureof Sensitive Information to anUnauthorizedActor
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 4.4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android11/Android12

  • CVE ID CVE-2023-40651
  • Title Out-of-bounds Write in urild service
  • Description

    In urild service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed.

  • Technology Area Android
  • Vulnerability Type cwe-787 Out-of-bounds Write
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 6.7
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android11/Android12/Android13

  • CVE ID CVE-2023-40652
  • Title Out-of-bounds Write in jpg driver
  • Description

    In jpg driver, there is a possible out of bounds write due to improper input validation. This could lead to local denial of service with System execution privileges needed.

  • Technology Area Android
  • Vulnerability Type cwe-787 Out-of-bounds Write
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 6
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
  • Affected Chipsets*

    T606/T612/T616

  • Affected Software Versions

    Android11

  • CVE ID CVE-2023-40653
  • Title Improper Access Control in FW-PackageManager
  • Description

    In FW-PackageManager, there is a possible missing permission check. This could lead to local escalation of privilege with System execution privileges needed.

  • Technology Area Android
  • Vulnerability Type cwe-284 Improper Access Control
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 5.5
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android11

  • CVE ID CVE-2023-40654
  • Title Improper Access Control in FW-PackageManager
  • Description

    In FW-PackageManager, there is a possible missing permission check. This could lead to local escalation of privilege with System execution privileges needed.

  • Technology Area Android
  • Vulnerability Type cwe-284 Improper Access Control
  • Access Vector Local
  • CVSS Rating Medium
  • CVSS Score 5.5
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • Affected Chipsets*

    SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

  • Affected Software Versions

    Android11

*The list of affected chipsets may not be complete. For latest information, device OEMs can contact directly at https://unisupport.unisoc.com

Vulnerability type definition
  • Abbreviation Interpretation
  • RCE Remote Code Execution
  • EoP Elevation of Privilege
  • ID Information Disclosure
  • DoS Denial of Service
  • N/A Classification not available
Version
  • Version Date Description
  • 1.0 2023-10-08