Headline
CVE-2023-21277
In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "9b58aee2a4528c60b0aa2540bd0f48d2871d2dc7", "tree": "dd725ead57947a7429e13b3f6303e33a84b421b7", "parents": [ “155b14600fb13553a47b4e45fe0acd163da07453” ], "author": { "name": "Ioana Alexandru", "email": "[email protected]", "time": “Thu May 25 11:43:43 2023 +0000” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Jun 08 20:34:21 2023 +0000” }, "message": "Visit URIs in themed remoteviews icons.\n\nBug: 281018094\nTest: atest RemoteViewsTest NotificationVisitUrisTest\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:634a69b7700017eac534f3f58cdcc2572f3cc659)\nMerged-In: I2014bf21cf90267f7f1b3f370bf00ab7001b064e\nChange-Id: I2014bf21cf90267f7f1b3f370bf00ab7001b064e\n", "tree_diff": [ { "type": "modify", "old_id": "406c7694e5033d2967e0f893224fb9f4218f3e61", "old_mode": 33188, "old_path": "core/java/android/widget/RemoteViews.java", "new_id": "04e46e8b031bc0a9ceebea2ac37cd98b35f6760e", "new_mode": 33188, "new_path": “core/java/android/widget/RemoteViews.java” }, { "type": "modify", "old_id": "e0cccf2f52008ebfb7a63b47baa2e5eb417e5fe9", "old_mode": 33188, "old_path": "core/tests/coretests/src/android/widget/RemoteViewsTest.java", "new_id": "a8f2b1d22aed7980b4635ef68e943fd687257bfd", "new_mode": 33188, "new_path": “core/tests/coretests/src/android/widget/RemoteViewsTest.java” } ] }
Related news
In doKeyguardLocked of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.