Full Report
Vulnerability CVE-2024-12993 allowing revealing the user’s location has been found in Infinix Mobile com.rlk.weathers application.
Analysis Summary
# Vulnerability: Location Leakage in Infinix Mobile Weather Application
## CVE Details
- CVE ID: CVE-2024-12993
- CVSS Score: Information not provided in the source. (Severity cannot be formally assigned without the score.)
- CWE: CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere)
## Affected Systems
- Products: Infinix Mobile com.rlk.weathers application (preloaded application on Infinix devices).
- Versions: 7.0.0.037
- Configurations: Affects all (inferred) Infinix Mobile devices running the vulnerable version.
## Vulnerability Description
The vulnerability resides in the `com.rlk.weathers` application due to an unsecured, exported content provider. An unauthenticated attacker can interact with this content provider to arbitrarily reveal the user's precise location without requiring any special user privileges.
## Exploitation
- Status: Not exploited in the wild (based on the advisory provided, vulnerability was reported responsibly). PoC likely exists, as it involves communicating with an exposed content provider.
- Complexity: Low (Requires communication with an exposed component).
- Attack Vector: Network (Assuming the content provider is accessible externally or via a compromised application context).
## Impact
- Confidentiality: High (User location data is exposed).
- Integrity: Low (No reports of data modification).
- Availability: Low (No reports of service disruption).
## Remediation
### Patches
- No specific patch version or advisory from the vendor (Infinix Mobile) was provided in the source material, as the vendor reportedly did not respond.
### Workarounds
- Uninstall or disable the `com.rlk.weathers` application if possible.
- Restrict the application's permissions, particularly location services, if granular control is available on the device.
## Detection
- Indicators of Compromise: Excessive or unexpected communication patterns directed towards the `com.rlk.weathers` application's components, specifically attempts to query its content provider.
- Detection Methods and Tools: Application monitoring tools should scan for interactions with exported content providers within preloaded system applications like this weather service.
## References
- Vendor advisories: None available as the vendor reportedly did not respond to CERT Polska.
- Relevant links - defanged:
- hXXps://incydent.cert.pl/#!/lang=en
- hXXps://cert.pl/en/author/cert-polska/
- hXXps://www.cve.org/CVERecord?id=CVE-2024-12993
- hXXps://cwe.mitre.org/data/definitions/497.html
- hXXps://cert.pl/en/cvd/