CVE-2023-21246Improper Check for Unusual or Exceptional Conditions in Frameworks Base

CWE-754Improper Check for Unusual or Exceptional ConditionsCWE-273Improper Check for Dropped Privileges4 documents4 sources
Severity
3.3LOWNVD
EPSS
0.0%
top 95.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Frameworks BaseGoogle Android
Timeline
PublishedJul 13

Description

In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

Androidplatform/frameworks_base13-next:013-next:2023-07-01+4
CVEListV5google/android4 versions+3
NVDgoogle/android4 versions+3

Patches

Patch: android.googlesource.comPatch: source.android.comPatch: android.googlesource.com

🔴Vulnerability Details

2
GHSA
GHSA-jmwv-xww6-6hcv: In ShortcutInfo of ShortcutInfo2023-07-13
OSV
CVE-2023-21246: In ShortcutInfo of ShortcutInfo2023-07-01

📋Vendor Advisories

1
Android
CVE-2023-21246: Android Security Bulletin 2023-07-01 CVE: CVE-2023-21246 Severity: HIGH Type: EoP Affected AOSP versions: 11, 12, 12L, 13 References: A-2737294762023-07-01