Lucene search

GoogleOSV:ASB-A-293602317

HistoryMay 01, 2024 - 12:00 a.m.

[STS SDK Grant] Create and persist a new secondary user without any restrictions via a super large seed account type

2024-05-0100:00:00

Google

osv.dev

usermanagerservice

input validation

privilege escalation

user interaction

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

Percentile

9.0%

JSON

In multiple methods of UserManagerService.java, there is a possible failure to persist or enforce user restrictions due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

References

android.googlesource.com/platform/frameworks/base/+/6a9250ec7fc9801a883cedd7860076f42fb518ac

source.android.com/security/bulletin/2024-05-01

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for OSV:ASB-A-293602317