⚠ Actively exploited
Added to CISA KEV on 2023-04-13. Federal agencies required to patch by 2023-05-04. Required action: Apply updates per vendor instructions..
CVE-2023-20963 — Improper Certificate Validation in Google Android
Severity
7.8HIGHNVD
EPSS
1.8%
top 17.00%
CISA KEV
KEV
Added 2023-04-13
Due 2023-05-04
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMar 24
KEV addedApr 13
KEV dueMay 4
CISA Required Action: Apply updates per vendor instructions.
Description
In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages4 packages
Patches
🔴Vulnerability Details
4Project0▶
Project Zero RCA: CVE-2023-20963: Android: mismatching parcel/unparcel logic for WorkSource↗