CVE-2022-22287

Vulnerability

An arbitrary file access vulnerability exists in Samsung Email versions prior to 6.1.60.16, allowing an attacker to read isolated data within the application's sandbox. The vulnerability resides in the email client's file handling mechanism, which does not properly restrict access to internal storage locations when processing certain content. All versions before 6.1.60.16 are affected [1].

Exploitation

An attacker would need to entice a user running an affected version of Samsung Email to open a specially crafted email or attachment. No special network position or authentication beyond normal email access is required. The attacker crafts a malicious email that, when processed by the vulnerable version, triggers the arbitrary file access through improper path validation, enabling reads from the app's sandbox directories.

Impact

Successful exploitation allows the attacker to read isolated data stored in the Samsung Email sandbox, such as cached email content, configuration data, or other sensitive information intended to be separated from other apps. This is a confidentiality breach that may expose user data.

Mitigation

Samsung released version 6.1.60.16 to fix this vulnerability, as noted in the January 2022 Samsung Mobile Security update [1]. Users should update the Samsung Email application to version 6.1.60.16 or later via the Galaxy Store or available update mechanisms.