cbcvebase.
CVE-2024-43093
published 2024-11-13

CVE-2024-43093: In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due…

PriorityP181high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-11-28
Exploited in the wild
EPSS
0.71%
49.0th percentile
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Affected

17 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
platformframeworks_base>= 12:0 < 12:2025-03-0112:2025-03-01
platformframeworks_base>= 12L:0 < 12L:2025-03-0112L:2025-03-01
platformframeworks_base>= 13:0 < 13:2025-03-0113:2025-03-01
platformframeworks_base>= 14:0 < 14:2025-03-0114:2025-03-01
platformframeworks_base>= 15-next:0 < 15-next:2025-03-0115-next:2025-03-01
platformframeworks_base>= 15:0 < 15:2025-03-0115:2025-03-01

Detection & IOCsextracted from sources · hover to see the quote

pathExternalStorageProvider.java
  • Monitor for file path access attempts to sensitive directories via Documents UI / ExternalStorageProvider that include Unicode-normalized path components (e.g., homoglyph or decomposed Unicode characters) that may bypass the shouldHideDocument filter.
  • CVE-2024-43093 impacts the Android Framework component and Google Play system updates, specifically in the Documents UI — monitor for anomalous privilege escalation events originating from the Documents UI process.
  • CVE-2024-43093 has been observed exploited in limited, targeted attacks — treat any exploitation as potentially linked to spyware or nation-state activity, particularly given co-exploitation with CVE-2024-43047 in NoviSpy spyware campaigns.
  • ·Affected Android versions are 12, 12L, 13, 14, and 15; Android 11 and older are no longer supported and may not receive patches.
  • ·Google Pixel devices receive patches immediately; other OEM vendors typically take longer to test and deploy security patches — detection/patching timelines will vary by device manufacturer.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
vulncheck7.3HIGH
cisa7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.