CVE-2022-4903 — CodenameOne Pending Intent vulnerability

Description

A vulnerability was found in CodenameOne 7.0.70. The manipulation leads to use of implicit intent for sensitive communication. It is possible to launch the attack remotely. Upgrading to version 7.0.71 is able to address this issue. The name of the patch is dad49c9ef26a598619fc48d2697151a02987d478. It is recommended to upgrade the affected component.

How to fix CVE-2022-4903

To remediate CVE-2022-4903, upgrade the affected package to a fixed version below.

—upgrade to 7.0.71 or later

Is CVE-2022-4903 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 7.0.71

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-4903
PATCHgithub.com/codenameone/CodenameOne
WEBgithub.com/codenameone/CodenameOne/commit/dad49c9ef26a598619fc48d2697151a02987d478
WEBgithub.com/codenameone/CodenameOne/issues/3583