CVE-2022-39915

Vulnerability

An improper access control vulnerability exists in the Samsung Calendar application on Android. The bug is reachable via an implicit intent, allowing an application to access sensitive information without proper permission checks. Affected versions include: Calendar prior to 11.6.08.0 on Android Q(10), prior to 12.2.11.3000 on Android R(11), prior to 12.3.07.2000 on Android S(12), and prior to 12.4.02.0 on Android T(13). [1]

Exploitation

An attacker needs to be able to send an implicit intent to the Calendar application. No special permissions or user interaction beyond normal application usage may be required, as the vulnerability stems from a missing access control check when handling implicit intents. The exact steps are not detailed in the available references, but exploiting the flaw involves crafting an intent that triggers the Calendar to expose sensitive data. [1]

Impact

Successful exploitation allows an attacker to access sensitive information from the Calendar app. The impact primarily concerns confidentiality, as the attacker can read data that should be protected. The privilege level achieved is that of a third-party app with no additional permissions, potentially gaining access to calendar events, attendees, or other private data. [1]

Mitigation

The vulnerability is fixed in Calendar versions 11.6.08.0 (Android Q), 12.2.11.3000 (Android R), 12.3.07.2000 (Android S), and 12.4.02.0 (Android T). Users should update to the latest version of the Calendar app via the Galaxy Store or Google Play Store. No workarounds are documented in the references. The CVE is not listed in CISA KEV as of this writing. [1]