CVE-2021-1037
Last modified
CVE-2021-1037 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. The broadcast that DevicePickerFragment sends when a new device is paired doesn't have any permission checks, so any app can register to listen for it. This lets apps keep track of what devices are paired without requesting BLUETOOTH permissions.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-162951906. EPSS estimates a 0.32% chance of exploitation in the next 30 days.
Description
The broadcast that DevicePickerFragment sends when a new device is paired doesn't have any permission checks, so any app can register to listen for it. This lets apps keep track of what devices are paired without requesting BLUETOOTH permissions.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-162951906
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Android | 9.0 | |
| Android | 10.0 | |
| Android | 11.0 | |
| Android | 12.0 |
References
- https://source.android.com/security/bulletin/aaos/2022-01-01Vendor Advisory
- https://source.android.com/security/bulletin/aaos/2022-01-01Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-1037?
How severe is CVE-2021-1037?
How do I fix CVE-2021-1037?
Are you affected by CVE-2021-1037?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST