Lucene search

GoogleOSV:ASB-A-242846316

HistoryJan 01, 2023 - 12:00 a.m.

Automatically turn on notification access after the user has turns off without the user's awareness via ZenRule#condition

2023-01-0100:00:00

Google

osv.dev

zenrule#condition

improper input validation

local privilege escalation

user interaction

notification access

software

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.0005 Low

EPSS

Percentile

17.8%

JSON

In Condition of Condition.java, there is a possible way to grant notification access due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CPENameOperatorVersion
platform/frameworks/baseeq10
platform/frameworks/baseeq13
platform/frameworks/baseeq12L
platform/frameworks/baseeq12
platform/frameworks/baseeq11

Name	Operator	Version
platform/frameworks/base	eq	10
platform/frameworks/base	eq	13
platform/frameworks/base	eq	12L
platform/frameworks/base	eq	12
platform/frameworks/base	eq	11

References

android.googlesource.com/platform/frameworks/base/+/81352c3775949c622441e10b468766441e35edc7

source.android.com/security/bulletin/2023-01-01

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.0005 Low

EPSS

Percentile

17.8%

JSON

Related for OSV:ASB-A-242846316