CVE-2020-0486
HIGHAndroid 11 - Local Privilege Escalation via ContactsProvider2 Insecure Default Permissions
Title source: llmDescription
In openAssetFileListener of ContactsProvider2.java, there is a possible permission bypass due to an insecure default value. This could lead to local escalation of privilege to change contact data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150857116
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://source.android.com/security/bulletin/pixel/2020-12-01
Scores
CVSS v3
7.8
EPSS
0.0013
EPSS Percentile
3.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-276
Status
published
Products (1)
google/android
11.0
Published
Dec 15, 2020
Tracked Since
Feb 18, 2026