CVE-2022-42488

HIGH

OpenHarmony 3.1-3.1.2 - Missing Authorization in Startup Subsystem Param Service

Title source: llm

Description

OpenHarmony-v3.1.2 and prior versions have a Missing permission validation vulnerability in param service of startup subsystem. An malicious application installed on the device could elevate its privileges to the root user, disable security features, or cause DoS by disabling particular services.

References (1)

Core 1

Core References

Third Party Advisory

https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-10.md

Scores

CVSS v3 8.4

EPSS 0.0018

EPSS Percentile 7.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287 CWE-862

Status published

Products (1)

openharmony/openharmony 3.1 - 3.1.2

Published Oct 14, 2022

Tracked Since Feb 18, 2026