Headline
CVE-2021-0734: Android 13 Security Release Notes | Android Open Source Project
In Settings, there is a possible way to determine whether an app is installed without query permissions, due to side channel information disclosure. This could lead to local information disclosure of an installed package, without proper query permissions, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-189122911
Published August 1, 2022 | Updated August 10, 2022
This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 13. Android 13 devices with a security patch level of 2022-09-01 or later are protected against these issues (Android 13, as released on AOSP, will have a default security patch level of 2022-09-01). To learn how to check a device’s security patch level, see Check and update your Android version.
Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 13 release.
The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.
We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.
Announcements
- The issues described in this document are addressed as part of Android 13. This information is provided for reference and transparency.
- We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.
Android and Google service mitigations
This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.
Android 13 vulnerability details
The sections below provide details for security vulnerabilities fixed as part of Android 13. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.
Android runtime
CVE
References
Type
Severity
CVE-2013-0340
A-24901276
DoS
Moderate
Framework
CVE
References
Type
Severity
CVE-2022-20266
A-211757348
EoP
High
CVE-2022-20301
A-200956614
EoP
High
CVE-2022-20305
A-199751623
EoP
High
CVE-2022-20270
A-209005023
ID
High
CVE-2022-20294
A-202160705
ID
High
CVE-2022-20295
A-202160584
ID
High
CVE-2022-20296
A-201794303
ID
High
CVE-2022-20298
A-201416182
ID
High
CVE-2022-20299
A-201415895
ID
High
CVE-2022-20300
A-200956588
ID
High
CVE-2022-20303
A-200573021
ID
High
CVE-2022-20304
A-199751919
ID
High
CVE-2022-20260
A-220865698
DoS
High
CVE-2022-20246
A-230493191
EoP
Moderate
CVE-2022-20250
A-226134095
EoP
Moderate
CVE-2022-20255
A-222687217
EoP
Moderate
CVE-2022-20268
A-210468836
EoP
Moderate
CVE-2022-20271
A-207672635
EoP
Moderate
CVE-2022-20281
A-204083967
EoP
Moderate
CVE-2022-20282
A-204083104
EoP
Moderate
CVE-2022-20312
A-192244925
EoP
Moderate
CVE-2022-20331
A-181785557
EoP
Moderate
CVE-2022-20338
A-171966843
EoP
Moderate
CVE-2021-0734
A-189122911
ID
Moderate
CVE-2021-0735
A-188913056
ID
Moderate
CVE-2021-0975
A-180104273
ID
Moderate
CVE-2022-20243
A-190199986
ID
Moderate
CVE-2022-20249
A-226900861
ID
Moderate
CVE-2022-20252
A-224547584
ID
Moderate
CVE-2022-20262
A-218338453
ID
Moderate
CVE-2022-20263
A-217935264
ID
Moderate
CVE-2022-20272
A-207672568
ID
Moderate
CVE-2022-20275
A-205836975
ID
Moderate
CVE-2022-20276
A-205706731
ID
Moderate
CVE-2022-20277
A-205145497
ID
Moderate
CVE-2022-20279
A-204877302
ID
Moderate
CVE-2022-20285
A-230868108
ID
Moderate
CVE-2022-20287
A-204082784
ID
Moderate
CVE-2022-20288
A-204082360
ID
Moderate
CVE-2022-20289
A-203683960
ID
Moderate
CVE-2022-20291
A-203430648
ID
Moderate
CVE-2022-20293
A-202298672
ID
Moderate
CVE-2022-20307
A-198782887
ID
Moderate
CVE-2022-20309
A-194694094
ID
Moderate
CVE-2022-20315
A-191058227
ID
Moderate
CVE-2022-20316
A-190726121
ID
Moderate
CVE-2022-20318
A-194694069
ID
Moderate
CVE-2022-20320
A-187956596
ID
Moderate
CVE-2022-20324
A-187042120
ID
Moderate
CVE-2022-20328
A-184948501
ID
Moderate
CVE-2022-20332
A-180019130
ID
Moderate
CVE-2022-20336
A-177239688
ID
Moderate
CVE-2022-20341
A-162952629
ID
Moderate
CVE-2022-20322
A-187176993
ID
Low
CVE-2022-20323
A-187176203
ID
Low
CVE-2022-20278
A-205130113
EoP
Moderate
Media Framework
CVE
References
Type
Severity
CVE-2022-20290
A-203549963
EoP
Moderate
CVE-2022-20325
A-186473060
EoP
Moderate
CVE-2022-20247
A-229858836
ID
Moderate
CVE-2022-20317
A-190199063
ID
Moderate
Package
CVE
References
Type
Severity
CVE-2022-20319
A-189574230
EoP
Moderate
Platform
CVE
References
Type
Severity
CVE-2022-20302
A-200746457
EoP
High
CVE-2022-20321
A-187176859
ID
Moderate
Platform
CVE
References
Type
Severity
CVE-2022-20265
A-212804898
EoP
Moderate
System
CVE
References
Type
Severity
CVE-2022-20283
A-233069336
RCE
Critical
CVE-2022-20292
A-202975040
EoP
High
CVE-2022-20297
A-201561699
EoP
High
CVE-2022-20330
A-181962588
EoP
High
CVE-2021-0518
A-176541017
ID
High
CVE-2022-20245
A-215005011
ID
High
CVE-2022-20259
A-221431393
ID
High
CVE-2022-20284
A-231986341
ID
High
CVE-2022-20326
A-185235527
ID
High
CVE-2022-20327
A-185126813
ID
High
CVE-2022-20339
A-171572148
ID
High
CVE-2022-20362
A-230756082
RCE
Moderate
CVE-2022-20244
A-201083240
EoP
Moderate
CVE-2022-20248
A-227619193
EoP
Moderate
CVE-2022-20254
A-223377547
EoP
Moderate
CVE-2022-20256
A-222572821
EoP
Moderate
CVE-2022-20257
A-222289114
EoP
Moderate
CVE-2022-20258
A-221893030
EoP
Moderate
CVE-2022-20267
A-211646835
EoP
Moderate
CVE-2022-20269
A-209062898
EoP
Moderate
CVE-2022-20274
A-206470146
EoP
Moderate
CVE-2022-20286
A-230866011
EoP
Moderate
CVE-2022-20306
A-199680794
EoP
Moderate
CVE-2022-20313
A-192206329
EoP
Moderate
CVE-2022-20314
A-191876118
EoP
Moderate
CVE-2022-20329
A-183410556
EoP
Moderate
CVE-2022-20335
A-178014725
EoP
Moderate
CVE-2022-20241
A-217185011
ID
Moderate
CVE-2022-20242
A-231986212
ID
Moderate
CVE-2022-20251
A-225881167
ID
Moderate
CVE-2022-20261
A-219835125
ID
Moderate
CVE-2022-20273
A-206478022
ID
Moderate
CVE-2022-20280
A-204117261
ID
Moderate
CVE-2022-20310
A-192663798
ID
Moderate
CVE-2022-20311
A-192663553
ID
Moderate
CVE-2022-20340
A-166269532
ID
Moderate
CVE-2022-20342
A-143534321
ID
Moderate
CVE-2022-20253
A-224545125
DoS
Moderate
CVE-2022-20308
A-197874458
DoS
Moderate
CVE-2022-20333
A-179161657
DoS
Moderate
CVE-2022-20334
A-178800552
DoS
Moderate
Common questions and answers
This section answers common questions that may occur after reading this bulletin.
1. How do I determine if my device is updated to address these issues?
To learn how to check a device’s security patch level, see Check and update your Android version.
Android 13, as released on AOSP, has a default security patch level of 2022-09-01. Android devices running Android 13 and with a security patch leve of 2022-09-01 or later address all issues contained in these security release notes.
2. What do the entries in the Type column mean?
Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.
Abbreviation
Definition
RCE
Remote code execution
EoP
Elevation of privilege
ID
Information disclosure
DoS
Denial of service
N/A
Classification not available
3. What do the entries in the References column mean?
Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.
Prefix
Reference
A-
Android bug ID
Versions
Version
Date
Notes
1.0
August 1, 2022
Security Release Notes Published
1.1
August 10, 2022
Updated Issue List
Related news
Vulnerability of identity verification being bypassed in the face unlock module. Successful exploitation of this vulnerability will affect integrity and confidentiality.
In unflattenString8 of Sensor.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-269014004
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
The backup module has a path traversal vulnerability. Successful exploitation of this vulnerability causes unauthorized access to other system files.
Missing parameter type validation in the DRM module. Successful exploitation of this vulnerability may affect availability.
Uncaptured exceptions in the home screen module. Successful exploitation of this vulnerability may affect stability.
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an unprotected primary channel vulnerability. An unauthenticated network malicious attacker may potentially exploit this vulnerability, leading to a denial of filesystem services.
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to information disclosure.
Dell PowerScale OneFS, 8.2.x through 9.3.0.x, contain an error message with sensitive information. An administrator could potentially exploit this vulnerability, leading to disclosure of sensitive information. This sensitive information can be used to access sensitive resources.
Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain broken or risky cryptographic algorithm. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access.
A logic issue was addressed with improved state management. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6. A remote attacker may be able to leak memory.
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.6, watchOS 8, tvOS 15, iOS 14.8 and iPadOS 14.8, iOS 15 and iPadOS 15. Processing a maliciously crafted image may lead to arbitrary code execution.
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.