Headline
CVE-2023-21288
In visitUris of Notification.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "726247f4f53e8cc0746175265652fa415a123c0c", "tree": "865181b307278ddbed77404c71b416a4f86294ae", "parents": [ “e7ccba6da2c3febeb449c172c1d8091f7a35193d” ], "author": { "name": "Ioana Alexandru", "email": "[email protected]", "time": “Mon May 15 16:15:55 2023 +0000” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Jun 08 20:33:57 2023 +0000” }, "message": "Check URIs in notification public version.\n\nBug: 276294099\nTest: atest NotificationManagerServiceTest NotificationVisitUrisTest\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67cd169d073486c7c047b80ab83843cdee69bf53)\nMerged-In: I670198b213abb2cb29a9865eb9d1e897700508b4\nChange-Id: I670198b213abb2cb29a9865eb9d1e897700508b4\n", "tree_diff": [ { "type": "modify", "old_id": "034192ddcecec7487e8764a22915a7e99a218055", "old_mode": 33188, "old_path": "core/java/android/app/Notification.java", "new_id": "e564ec1490373e7b1d280b36bb112414bd1a20fd", "new_mode": 33188, "new_path": “core/java/android/app/Notification.java” }, { "type": "modify", "old_id": "689691b749a3f0f67101637f657563c18a55c647", "old_mode": 33261, "old_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java", "new_id": "28480bcda4eb13baf696a5a4385e986aaac31f8b", "new_mode": 33261, "new_path": “services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java” } ] }
Related news
DoS vulnerability in the PMS module. Successful exploitation of this vulnerability may cause the system to restart.
In doKeyguardLocked of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.