Lucene search

GoogleOSV:ASB-A-280797684

HistoryAug 01, 2023 - 12:00 a.m.

ADP Grant - Detecting low resolution pictures of other users’ by StatusHints shown in in-call UI

2023-08-0100:00:00

Google

osv.dev

adp grant

statushints

low resolution

pictures

user interaction

local information disclosure

confused deputy

software

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

16.7%

JSON

In multiple functions of StatusHints.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

References

android.googlesource.com/platform/frameworks/base/+/e17fd149c0a2bf6cce56ebfae3fa5364fead22cc

android.googlesource.com/platform/packages/services/Telecomm/+/9b41a963f352fdb3da1da8c633d45280badfcb24

source.android.com/security/bulletin/2023-08-01

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

16.7%

JSON

Related for OSV:ASB-A-280797684