Login Sign Up

CVE-2018-9467

9.8 CRITICAL

📋 TL;DR

CVE-2018-9467 is an incorrect web origin determination vulnerability in Android's UriTest.java that allows attackers to bypass security decisions without user interaction. This affects Android devices running vulnerable versions, potentially enabling cross-origin attacks and security policy violations.

💻 Affected Systems

Products:
  • Android
Versions: Android 7.0 (Nougat) through 9.0 (Pie)
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with vulnerable Android versions regardless of manufacturer or carrier modifications.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of web origin security policies allowing cross-origin attacks, data theft, and privilege escalation in web contexts.

🟠

Likely Case

WebView-based applications could have their security policies bypassed, potentially leading to cross-site scripting or data leakage.

🟢

If Mitigated

Limited impact with proper web security headers, Content Security Policies, and updated Android security patches.

🌐 Internet-Facing: HIGH - WebView components in Android apps can be exploited remotely via malicious web content.
🏢 Internal Only: MEDIUM - Internal apps using WebView could be vulnerable if loading untrusted content.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No user interaction required, making exploitation straightforward for attackers with web access to vulnerable apps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level 2018-09-01 and later

Vendor Advisory: https://source.android.com/security/bulletin/2018-09-01

Restart Required: Yes

Instructions:

1. Apply Android security patch 2018-09-01 or later. 2. Update affected Android devices through system updates. 3. Reboot device after update installation.

🔧 Temporary Workarounds

Disable WebView in vulnerable apps

android

Configure apps to not use WebView components for untrusted content

Implement Content Security Policy

all

Add strict CSP headers to web content served to WebView

🧯 If You Can't Patch

  • Isolate vulnerable devices from untrusted networks
  • Monitor for suspicious web origin requests in application logs

🔍 How to Verify

Check if Vulnerable:

Check Android Security Patch Level in Settings > About phone > Android security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android Security Patch Level is 2018-09-01 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual web origin requests in WebView logs
  • Cross-origin resource access violations

Network Indicators:

  • Suspicious cross-origin requests from Android apps
  • Unexpected web traffic from WebView components

SIEM Query:

source="android_logs" AND ("WebView" OR "origin") AND ("violation" OR "bypass")

📊 Metadata

CVE ID: CVE-2018-9467
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-276
Published: November 20, 2024
Last Updated: November 22, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-9467, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)