Lucene search

GoogleOSV:ASB-A-242703202

HistoryDec 01, 2022 - 12:00 a.m.

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannel#mSound

2022-12-0100:00:00

Google

osv.dev

notificationchannel

notificationchannel.java

notification access

user awareness

privilege escalation

resource exhaustion

software

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

android.googlesource.com/platform/frameworks/base/+/3850857cb0e7f26702d5bd601731d7290390fa3b

android.googlesource.com/platform/frameworks/base/+/6f02c07176d0fa4d6985c8f2200ccf49a1657d1c

source.android.com/security/bulletin/2022-12-01

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Related for OSV:ASB-A-242703202