CVE-2022-20444 — UI Misrepresentation / Clickjacking in Frameworks Base

CWE-1021 — UI Misrepresentation / Clickjacking3 documents3 sources

Severity

—HIGH

No vector

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Platform Frameworks Native

Timeline

PublishedDec 13

Latest updateMay 1

Description

In several functions of inputDispatcher.cpp, there is a possible way to make toasts clickable due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-197296414

Affected Packages2 packages

▶Androidplatform/frameworks_base13-next:0 — 13-next:2023-05-01+2

▶Androidplatform/frameworks_native13-next:0 — 13-next:2023-05-01+2

🔴Vulnerability Details

OSV

CVE-2022-20444: In several functions of inputDispatcher↗2023-05-01

▶

GHSA

GHSA-q8r7-c3h6-2hgr: In several functions of inputDispatcher↗2022-12-13

▶

📋Vendor Advisories

Android

CVE-2022-20444: Android Security Bulletin 2023-05-01 CVE: CVE-2022-20444 Severity: HIGH Type: EoP Affected AOSP versions: 11, 12 References: A-197296414 [2] [3] [4] [↗2023-05-01

▶