CVE-2021-39617 — UI Misrepresentation / Clickjacking in Frameworks Base

CWE-1021 — UI Misrepresentation / Clickjacking3 documents3 sources

Severity

—N/A

No vector

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Platform Frameworks Native Platform Packages Apps Packageinstaller +1 more

Timeline

PublishedMay 1

Description

In multiple buttons of grant_permissions.xml, there is a possible way to bypass permissions dialogs due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Packages4 packages

▶Androidplatform/frameworks_base11:0 — 11:2023-05-01+1

▶Androidplatform/frameworks_native13-next:0 — 13-next:2023-05-01+3

▶Androidplatform/packages_modules_permission13-next:0 — 13-next:2023-05-01+1

▶Androidplatform/packages_apps_packageinstaller11:0 — 11:2023-05-01

🔴Vulnerability Details

OSV

CVE-2021-39617: In multiple buttons of grant_permissions↗2023-05-01

▶

GHSA

GHSA-jvp9-5xr3-p4jg: In the user interface buttons of PermissionController, there is a possible way to bypass permissions dialogs due to a tapjacking/overlay attack↗2022-12-13

▶

📋Vendor Advisories

Android

CVE-2021-39617: Android Security Bulletin 2023-05-01 CVE: CVE-2021-39617 Severity: HIGH Type: EoP Affected AOSP versions: 11, 12, 12L References: A-175190844↗2023-05-01

▶