⚠ Actively exploited
Added to CISA KEV on 2024-03-05. Federal agencies required to patch by 2024-03-26. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-21237Sensitive Information Exposure in Google Android

CWE-200Sensitive Information Exposure5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.7%
top 27.41%
CISA KEV
KEV
Added 2024-03-05
Due 2024-03-26
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Platform Frameworks BaseGoogle Android
Timeline
PublishedJun 28
KEV addedMar 5
KEV dueMar 26
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

In applyRemoteView of NotificationContentInflater.java, there is a possible way to hide foreground service notification due to misleading or insufficient UI. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-251586912

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5google/androidAndroid-13
NVDgoogle/android13.0
Androidplatform/frameworks_base13-next:013-next:2023-06-01+1

🔴Vulnerability Details

3
GHSA
GHSA-qhm9-gg74-g6m6: In applyRemoteView of NotificationContentInflater2023-06-28
OSV
CVE-2023-21237: In applyRemoteView of NotificationContentInflater2023-06-01
VulnCheck
Android Pixel Information Disclosure Vulnerability2023

📋Vendor Advisories

1
CISA
Android Pixel Information Disclosure Vulnerability2024-03-05