CVE-2024-49734: Infoleak
First published: Mon Jan 06 2025(Updated: )
In multiple functions of ConnectivityService.java, there is a possible way for a Wi-Fi AP to determine what site a device has connected to through a VPN due to side channel information disclosure. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Credit: security@android.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Android | =14.0 | |
| Android | =15.0 | |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://source.android.com/security/bulletin/2025-01-01
- https://android.googlesource.com/platform/frameworks/libs/net/+/e72c61380c52a4450970556e5936c5ec03fd66fb
- https://android.googlesource.com/platform/frameworks/libs/net/+/b20d67cbfc24a54dfe1dc9854bac61fdf52f7913
- https://android.googlesource.com/platform/packages/modules/Connectivity/+/1a0dd8ccde71c2252132d60e5b897fa2f569cc76
- https://android.googlesource.com/platform/packages/modules/Connectivity/+/4e80ab9ca5b9e7db8185cdde240ab0f01a2c0611
- https://android.googlesource.com/platform/packages/modules/Connectivity/+/de7b97573ac92be4cff6ca71a1837b2fe0dcbbab
- https://android.googlesource.com/platform/packages/modules/Connectivity/+/c16addaec604d724cf5296f89e606d558128d0cc
- https://android.googlesource.com/platform/packages/modules/Connectivity/+/d5d5e5749316d31a63b9b8b132e273d29364401b
- https://android.googlesource.com/platform/packages/modules/Connectivity/+/9eb0da27c4ecff37f7b6d2328b8dee6ba766ad1a
- https://source.android.com/docs/security/bulletin/2025-01-01 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-49734?
The severity of CVE-2024-49734 is classified as high due to the potential for remote information disclosure.
How do I fix CVE-2024-49734?
To fix CVE-2024-49734, update your Android device to the latest version provided by Google.
What products are affected by CVE-2024-49734?
CVE-2024-49734 affects multiple versions of Google's Android operating system.
Can CVE-2024-49734 be exploited remotely?
Yes, CVE-2024-49734 can be exploited remotely without requiring additional execution privileges.
What are the implications of CVE-2024-49734 for users?
Users may face risks of having their browsing information disclosed through VPN connections.
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/severity
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/weakness
- collector/android-source
- source/Android
- agent/software-canonical-lookup
- collector/epss-latest
- source/FIRST
- agent/source
- agent/epss
- agent/tags
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- vendor/google
- canonical/android
- version/android/14.0
- version/android/15.0