CVE-2023-21192Improper Input Validation in Google Android

CWE-20Improper Input Validation3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 94.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Frameworks BaseGoogle Android
Timeline
PublishedJun 28

Description

In setInputMethodWithSubtypeIdLocked of InputMethodManagerService.java, there is a possible way to setup input methods that are not enabled due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227207653

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5google/androidAndroid-13
NVDgoogle/android13.0
Androidplatform/frameworks_base13-next:013-next:2023-06-01+1

🔴Vulnerability Details

2
GHSA
GHSA-ch2w-f7c7-mm84: In setInputMethodWithSubtypeIdLocked of InputMethodManagerService2023-06-28
OSV
CVE-2023-21192: In setInputMethodWithSubtypeIdLocked of InputMethodManagerService2023-06-01