CVE-2024-13916

An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.android.providers.settings.fingerprint.PriFpShareProvider“ content provider's public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. Application update was released in April 2025.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/05/CVE-2024-13915

Configurations

No configuration.

History

10 Jun 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 16:15

Updated : 2025-06-10 10:15

NVD link : CVE-2024-13916

Mitre link : CVE-2024-13916

CVE.ORG link : CVE-2024-13916

JSON object : View

Products Affected

No product.

CWE

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

{"id": "CVE-2024-13916", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-30T16:15:36.117", "references": [{"url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915", "source": "cvd@cert.pl"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-497"}]}], "descriptions": [{"lang": "en", "value": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.android.providers.settings.fingerprint.PriFpShareProvider\u201c content provider's public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.\n\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \nApplication update was released in April 2025."}, {"lang": "es", "value": "La aplicaci\u00f3n \"com.pri.applock\", preinstalada en los smartphones Kr\u00fcger&Matz, permite cifrar cualquier aplicaci\u00f3n mediante el c\u00f3digo PIN proporcionado por el usuario o datos biom\u00e9tricos. El m\u00e9todo p\u00fablico \"query()\" del proveedor de contenido \"com.android.providers.settings.fingerprint.PriFpShareProvider\", expuesto, permite que cualquier otra aplicaci\u00f3n maliciosa, sin permisos del sistema Android, extraiga el c\u00f3digo PIN. El proveedor no proporcion\u00f3 informaci\u00f3n sobre las versiones vulnerables. Solo la versi\u00f3n (nombre de la versi\u00f3n: 13, c\u00f3digo de la versi\u00f3n: 33) fue probada y se confirm\u00f3 que presenta esta vulnerabilidad."}], "lastModified": "2025-06-10T10:15:21.443", "sourceIdentifier": "cvd@cert.pl"}