SB2023030649 - Multiple vulnerabilities in Google Android
Published: March 6, 2023 Updated: March 28, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 55 vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2022-25705)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Modem. A local application can execute arbitrary code.
2) Buffer over-read (CVE-ID: CVE-2022-40535)
CWE-ID: CWE-126 - Buffer over-read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN. A remote attacker can perform a denial of service (DoS) attack.
3) Incorrect Type Conversion or Cast (Type Conversion) (CVE-ID: CVE-2022-40531)
CWE-ID: CWE-704 - Type conversion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN. A local application can execute arbitrary code.
4) Integer overflow (CVE-ID: CVE-2022-40530)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN. A local application can execute arbitrary code.
5) Reachable Assertion (CVE-ID: CVE-2022-40527)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Embedded SW. A remote attacker can perform a denial of service (DoS) attack.
6) Double Free (CVE-ID: CVE-2022-40515)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Video. A remote attacker can read and manipulate data.
7) Buffer over-read (CVE-ID: CVE-2022-33309)
CWE-ID: CWE-126 - Buffer over-read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware.. A remote attacker can perform a denial of service (DoS) attack.
8) Buffer overflow (CVE-ID: CVE-2022-33278)
CWE-ID: CWE-120 - Buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.
9) Reachable Assertion (CVE-ID: CVE-2022-33272)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
10) Reachable Assertion (CVE-ID: CVE-2022-33254)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
11) Reachable Assertion (CVE-ID: CVE-2022-33250)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
12) Reachable Assertion (CVE-ID: CVE-2022-33244)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
13) Improper Authentication (CVE-ID: CVE-2022-33242)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Qualcomm IPC. A local application can execute arbitrary code.
14) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2022-25709)
CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Data Modem. A local application can execute arbitrary code.
15) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2022-25694)
CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in MODEM. A local application can execute arbitrary code.
16) Out-of-bounds write (CVE-ID: CVE-2021-33655)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in FBIOPUT_VSCREENINFO IOCTL. A local user can trigger an out-of-bounds write error and execute arbitrary code with elevated privileges.
17) Buffer overflow (CVE-ID: CVE-2022-25655)
CWE-ID: CWE-120 - Buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
18) Improper Validation of Array Index (CVE-ID: CVE-2022-33256)
CWE-ID: CWE-129 - Improper Validation of Array Index
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in Multi-mode call processor. A remote attacker can execute arbitrary code.
19) Stack-based buffer overflow (CVE-ID: CVE-2022-33213)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote application to execute arbitrary code.
The vulnerability exists due to improper input validation in MODEM. A remote application can execute arbitrary code.
20) Buffer overflow (CVE-ID: CVE-2022-40540)
CWE-ID: CWE-120 - Buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Linux Kernel. A local application can execute arbitrary code.
21) Improper Validation of Array Index (CVE-ID: CVE-2022-40537)
CWE-ID: CWE-129 - Improper Validation of Array Index
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Bluetooth HOST. A remote attacker can read and manipulate data.
22) Information Exposure (CVE-ID: CVE-2022-22075)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation in Graphics. A local application can gain access to sensitive information.
23) Use After Free (CVE-ID: CVE-2022-47460)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to damange or delete data.
The vulnerability exists due to a memory corruption due to a use after free within the gpu device in Kerenl. A local application can damange or delete data.
24) Missing Authorization (CVE-ID: CVE-2022-47462)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a missing permission check within the telephone service in Android. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
25) Information Exposure (CVE-ID: CVE-2022-47461)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a missing permission check within the telephone service in Android. A local application can read and manipulate data.
26) Out-of-bounds write (CVE-ID: CVE-2022-47459)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to read, manipulate or delete data.
The vulnerability exists due to a possible missing params check within the wlan driver in Kerenl. A local application can read, manipulate or delete data.
27) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2023-20623)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper locking within ion. A local application can execute arbitrary code.
28) Improper Input Validation (CVE-ID: CVE-2023-20621)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within tinysys. A local privileged application can execute arbitrary code.
29) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2023-20620)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a logic error within adsp. A local privileged application can execute arbitrary code.
30) Input validation error (CVE-ID: CVE-2022-20499)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of untrusted input within the Bluetooth component. A local application can perform a denial of service (DoS) attack.
31) Input validation error (CVE-ID: CVE-2023-20910)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Android Wi-Fi component. A local application can pass specially crafted input to the system and perform a denial of service (DoS) attack.
32) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20957)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android System component. A local application can escalate privileges on the device.33) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20953)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android System component. A local application can escalate privileges on the device.34) Information disclosure (CVE-ID: CVE-2023-20962)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to excessive data output by the Android System. A local application can gain access to sensitive information.
35) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20955)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android System component. A local application can escalate privileges on the device.36) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20936)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android System component. A local application can escalate privileges on the device.37) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20931)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android System component. A local application can escalate privileges on the device.38) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20926)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android System component. A local application can escalate privileges on the device.39) Input validation error (CVE-ID: CVE-2023-20954)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in the System component. A remote attacker can pass specially crafted input to the system and execute arbitrary code.
40) Input validation error (CVE-ID: CVE-2023-20951)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in the System component. A remote attacker can pass specially crafted input to the system and execute arbitrary code.
41) Input validation error (CVE-ID: CVE-2023-20964)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the Android Framework. A local application can perform a denial of service (DoS) attack.
42) Information disclosure (CVE-ID: CVE-2023-20958)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to gain access to sensitive data.
43) Information disclosure (CVE-ID: CVE-2023-20956)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to gain access to sensitive data.
The vulnerability exists due to excessive data output by the Android Framework media codecs. A local application can gain access to sensitive information.
44) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20966)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android System component. A local application can escalate privileges on the device.45) Information disclosure (CVE-ID: CVE-2022-20467)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to excessive data output by the Android System. A local application can gain access to sensitive information.
46) Information disclosure (CVE-ID: CVE-2023-20952)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to excessive data output by the Android System. A local application can gain access to sensitive information.
47) Information disclosure (CVE-ID: CVE-2023-20929)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to excessive data output by the Android System Tethering. A local application can gain access to sensitive information.
48) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20960)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android System component. A local application can escalate privileges on the device.49) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20959)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android System component. A local application can escalate privileges on the device.50) Information disclosure (CVE-ID: CVE-2022-4452)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to excessive data output by the Android System. A local application can gain access to sensitive information.
51) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20947)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android Framework permission controller. A local application can escalate privileges on the device.52) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20906)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android Framework. A local application can escalate privileges on the device.
53) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20963)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android Framework. A local application can escalate privileges on the device.
Note, the vulnerability is being actively exploited in the wild.
54) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20911)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android Framework. A local application can escalate privileges on the device.
55) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20917)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android Framework. A local application can escalate privileges on the device.
Remediation
Install update from vendor's website.
References
- https://source.android.com/docs/security/bulletin/2023-03-01
- https://source.android.com/docs/security/bulletin/2023-03-01#2023-03-01-security-patch-level-vulnerability-details
- https://github.com/davinci1010/pinduoduo_backdoor
- https://techcrunch.com/2023/03/20/google-flags-apps-made-by-popular-chinese-e-commerce-giant-as-malware/