Headline
CVE-2023-21291
In visitUris of Notification.java, there is a possible way to reveal image contents from another user due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "cb6282e8970f4c9db5497889699e68fb2038566e", "tree": "974ae991a39967eee17120b12758de2b2c0f2303", "parents": [ “7a5e51c918b7097be3c7e669e1825a4d159c4185” ], "author": { "name": "Ioana Alexandru", "email": "[email protected]", "time": “Thu Apr 27 14:55:28 2023 +0000” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Jun 08 20:33:40 2023 +0000” }, "message": "Verify URI permissions for notification shortcutIcon.\n\nBug: 277593270\nTest: atest NotificationManagerServiceTest\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:936b58b12851269b878b44cc8df790b3afe9c3f5)\nMerged-In: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1\nChange-Id: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1\n", "tree_diff": [ { "type": "modify", "old_id": "b3921fe8bd79c6c799609cb1419fd291e6094aee", "old_mode": 33188, "old_path": "core/java/android/app/Notification.java", "new_id": "034192ddcecec7487e8764a22915a7e99a218055", "new_mode": 33188, "new_path": “core/java/android/app/Notification.java” }, { "type": "modify", "old_id": "cc0bc24fc660f325b85405f105f5b7ed7f8e7b49", "old_mode": 33261, "old_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java", "new_id": "689691b749a3f0f67101637f657563c18a55c647", "new_mode": 33261, "new_path": “services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java” } ] }