Headline
CVE-2023-40139
In FillUi of FillUi.java, there is a possible way to view another user’s images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "08becc8c600f14c5529115cc1a1e0c97cd503f33", "tree": "3f0b8b76102e3b965d293910f949644ce9963cc3", "parents": [ “2d88a5c481df8986dbba2e02c5bf82f105b36243” ], "author": { "name": "Tim Yu", "email": "[email protected]", "time": “Tue Jun 20 21:24:36 2023 +0000” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Aug 10 17:10:43 2023 +0000” }, "message": "[DO NOT MERGE] Verify URI Permissions in Autofill RemoteViews\n\nCheck permissions of URI inside of FillResponse\u0027s RemoteViews. If the\ncurrent user does not have the required permissions to view the URI, the\nRemoteView is dropped from displaying.\n\nThis fixes a security spill in which a user can view content of another\nuser through a malicious Autofill provider.\n\nBug: 283137865\nFixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566\nb/281534749 b/283101289\nTest: Verified by POC app attached in bugs\nTest: atest CtsAutoFillServiceTestCases (added new tests)\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:93810ba1c0a4d31f49adbf9454731e2b7defdfc0)\nMerged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\nChange-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\n", "tree_diff": [ { "type": "modify", "old_id": "bc5d6457c945fec1263428c45dd50615ec131132", "old_mode": 33188, "old_path": "services/autofill/java/com/android/server/autofill/Helper.java", "new_id": "48113a81cca5f0a44dc5b478f47e7cadef622745", "new_mode": 33188, "new_path": “services/autofill/java/com/android/server/autofill/Helper.java” }, { "type": "modify", "old_id": "c2c630e01bee7a3d999047550719a9e2b0e25201", "old_mode": 33188, "old_path": "services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java", "new_id": "59184e9ed28814672004f7d8a8d01b6105ab7b40", "new_mode": 33188, "new_path": “services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java” }, { "type": "modify", "old_id": "8fbdd81cc4cc666f5fe855da1aa29187066ac73f", "old_mode": 33188, "old_path": "services/autofill/java/com/android/server/autofill/ui/FillUi.java", "new_id": "76fa258734ccc37aea53d19990e64f122c6a0f51", "new_mode": 33188, "new_path": “services/autofill/java/com/android/server/autofill/ui/FillUi.java” }, { "type": "modify", "old_id": "677871f6c85f860363fc3e5cb2d07f65b602f6ef", "old_mode": 33188, "old_path": "services/autofill/java/com/android/server/autofill/ui/SaveUi.java", "new_id": "533a7b69a650a58ecceb078fd2442dc9e74f67c2", "new_mode": 33188, "new_path": “services/autofill/java/com/android/server/autofill/ui/SaveUi.java” } ] }
Related news
Vulnerability of identity verification being bypassed in the face unlock module. Successful exploitation of this vulnerability will affect integrity and confidentiality.