Lucene search

GoogleOSV:ASB-A-262244249

HistoryJun 01, 2023 - 12:00 a.m.

[ADP Grant] Guest user can see the trace logs recorded by Admin user by MainTvActivity

2023-06-0100:00:00

Google

osv.dev

info disclosure

permissions bypass

developer traces

software

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

5.1%

JSON

In several functions of several files, there is a possible way to access developer mode traces due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CPENameOperatorVersion
platform/packages/apps/traceureq13
platform/packages/apps/traceureq11
platform/packages/apps/traceureq12L
platform/packages/apps/traceureq12

Name	Operator	Version
platform/packages/apps/traceur	eq	13
platform/packages/apps/traceur	eq	11
platform/packages/apps/traceur	eq	12L
platform/packages/apps/traceur	eq	12

References

android.googlesource.com/platform/packages/apps/Traceur/+/a6c0590c97c7fa8ff78f5d5117a1830c817a107d

source.android.com/security/bulletin/2023-06-01

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for OSV:ASB-A-262244249