CVE-2022-45118

MEDIUM

OpenHarmony 3.1-3.1.2 - Unauthenticated Personal Data Exposure via Telephony Public Events

Title source: llm

Description

OpenHarmony-v3.1.2 and prior versions had a vulnerability that telephony in communication subsystem sends public events with personal data, but the permission is not set. Malicious apps could listen to public events and obtain information such as mobile numbers and SMS data without permissions.

References (1)

Core 1

Core References

Third Party Advisory

https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-12.md

Scores

CVSS v3 6.2

EPSS 0.0018

EPSS Percentile 7.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-276 CWE-287

Status published

Products (1)

openharmony/openharmony 3.1 - 3.1.4

Published Dec 08, 2022

Tracked Since Feb 18, 2026