CVE-2023-20962Improper Export of Android Application Components in Google Android

CWE-926Improper Export of Android Application Components5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 90.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Packages Apps SettingsGoogle Android
Timeline
PublishedMar 24

Description

In getSliceEndItem of MediaVolumePreferenceController.java, there is a possible way to start foreground activity from the background due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-256590210

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5google/androidAndroid-13
NVDgoogle/android13.0
Androidplatform/packages_apps_settings13-next:013-next:2023-03-01+1

🔴Vulnerability Details

3
CVEList
CVE-2023-20962: In getSliceEndItem of MediaVolumePreferenceController2023-03-24
GHSA
GHSA-hxx7-8jpf-2vg3: In getSliceEndItem of MediaVolumePreferenceController2023-03-24
OSV
CVE-2023-20962: In getSliceEndItem of MediaVolumePreferenceController2023-03-01

📋Vendor Advisories

1
Android
CVE-2023-20962: Android Security Bulletin 2023-03-01 CVE: CVE-2023-20962 Severity: HIGH Type: ID Affected AOSP versions: 13 References: A-2565902102023-03-01
CVE-2023-20962 — Google Android vulnerability | cvebase