CVE-2023-21270Incorrect Authorization in Frameworks Base

CWE-863Incorrect AuthorizationCWE-276Incorrect Default Permissions5 documents5 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 91.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Platform Frameworks BasePlatform Packages Apps Launcher3Google Andrioid+1 more
Timeline
PublishedNov 19

Description

In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

Androidplatform/frameworks_base13-next:013-next:2023-08-01+3
Androidplatform/packages_apps_launcher313-next:013-next:2023-08-01+1
NVDgoogle/android12.0, 12.1, 13.0+2
CVEListV5google/andrioidsc-dev, sc-v2-dev, tm-dev+2

Patches

Patch: source.android.com

🔴Vulnerability Details

3
CVEList
CVE-2023-21270: In restorePermissionState of PermissionManagerServiceImpl2024-11-19
GHSA
GHSA-cp57-7c6j-pxfg: In restorePermissionState of PermissionManagerServiceImpl2024-11-19
OSV
CVE-2023-21270: In restorePermissionState of PermissionManagerServiceImpl2023-08-01

📋Vendor Advisories

1
Android
CVE-2023-21270: Android Security Bulletin 2023-08-01 CVE: CVE-2023-21270 Severity: HIGH Type: EoP Affected AOSP versions: 12, 12L, 13 References: A-283006437 [2]2023-08-01
CVE-2023-21270 — Incorrect Authorization | cvebase