Lucene search

K
cveGoogle_androidCVE-2024-0021
HistoryFeb 16, 2024 - 8:15 p.m.

CVE-2024-0021

2024-02-1620:15:47
CWE-20
google_android
web.nvd.nist.gov
5045
nvd
cve-2024-0021
notificationaccessconfirmationactivity
logic error
work profile
notification listener services
local privilege escalation

CVSS3

7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0

Percentile

9.0%

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way for an app in the work profile to enable notification listener services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Affected configurations

Vulners
Vulnrichment
Node
googleandroidMatch14
OR
googleandroidMatch14
OR
googleandroidMatch13
VendorProductVersionCPE
googleandroid14cpe:2.3:o:google:android:14:*:*:*:*:*:*:*
googleandroid13cpe:2.3:o:google:android:13:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "Google",
    "product": "Android",
    "versions": [
      {
        "version": "14",
        "status": "affected"
      },
      {
        "version": "13",
        "status": "affected"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

CVSS3

7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0

Percentile

9.0%

Related for CVE-2024-0021