Cyber Resilience

CVE-2022-1799

Medium

Published: 29 July 2022

Published
29 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0015 36.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1799 is a medium-severity Trust Boundary Violation (CWE-501) vulnerability in Google Google Play Services Software Development Kit. Its CVSS base score is 5.7 (Medium).

Operationally, ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Incorrect signature trust exists within Google Play services SDK play-services-basement. A debug version of Google Play services is trusted by the SDK for devices that are non-GMS. We recommend upgrading the SDK past the 2022-05-03 release.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
google play services software development kit
≤ 18.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-501

Establishes and maintains trust boundaries with external organizations before allowing their systems to interact with organization resources.

addresses: CWE-501

Prevents information from crossing trust boundaries without explicit approved authorizations.

addresses: CWE-501

Defining interfaces, controls, and trust responsibilities in agreements helps prevent violations of trust boundaries during data exchanges.

addresses: CWE-501

Authorizing and reviewing connections helps maintain proper trust boundaries between internal components.

addresses: CWE-501

Controlling media movement outside controlled areas maintains separation between internal and external trust boundaries.

addresses: CWE-501

Review of inter-system matching programs identifies and corrects trust-boundary violations before data crosses organizational or policy domains.

addresses: CWE-501

Defines explicit trust boundaries for PII use via documented purposes and prevents processing outside those boundaries.

addresses: CWE-501

Explicitly binding attributes to information crossing trust boundaries prevents loss of security context that leads to trust-boundary violations.

References