CVE-2017-0413 Google CVE debrief

Who should care

Android security teams, mobile device administrators, and organizations that allow third-party apps on devices running Android 6.0, 6.0.1, 7.0, or 7.1.1. It is most relevant where local malicious apps are a realistic risk.

Technical summary

The NVD record describes CVE-2017-0413 as a local information disclosure issue in AOSP Messaging. The CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating a local attack that requires user interaction, no privileges, unchanged scope, and high confidentiality impact. NVD maps the weakness to CWE-200. The affected Android versions listed in the record are 6.0, 6.0.1, 7.0, 7.1.0, and 7.1.1.

Defensive priority

Medium

Recommended defensive actions

• Prioritize vendor-provided Android security updates for affected devices.
• Inventory devices running Android 6.0 through 7.1.1 and confirm they are on a patched security level.
• Treat untrusted or sideloaded Android apps as a meaningful risk factor on affected devices.
• Review the Android security bulletin and related vendor advisory references for remediation guidance.
• Monitor for any signs that messaging-related app data may be exposed on unmanaged or outdated devices.

Evidence notes

This debrief is based on the NVD CVE record and its vendor references. The record states the issue is an information disclosure vulnerability in AOSP Messaging, lists affected Android versions 6.0 through 7.1.1, assigns CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N with score 5.5, and identifies CWE-200. The source corpus includes a vendor advisory reference from source.android.com and no KEV entry.

Official resources