Improper Access Control Vulnerability in A Mobile Phone of ZTE

Initial release date:  April 30, 2021

 

CVE ID

CVE-2021-21732

 

CVSS 3.1 Base Score

4.7 Medium (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)

 

Description

A mobile phone of ZTE is impacted by improper access control vulnerability. Due to improper permission settings, third-party applications can read some files in the proc file system without authorization. Attackers could exploit this vulnerability to obtain sensitive information.

  

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

Axon 11 5G

ZTE/CN_P725A12/P725A12:10/QKQ1.200816.002

/20201116.175317:user/release-keys

All versions released after 2021.5.1 have fixed the vulnerability

 

Acknowledgement

ZTE thanks Qing Zhang of WuHeng Lab of Bytedance for paying attention to our products and cooperating with us to disclose vulnerability.

 

Update Records

April 30, 2021, initial.

 

Supporting team contacts

1. ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2. Product forum at ZTE Support website.

 

ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]