Lucene search

GoogleOSV:ASB-A-268193384

HistoryJul 01, 2023 - 12:00 a.m.

ADP Grant - Starting arbitrary Activities via SettingsHomepageActivity on behalf of uid 1000

2023-07-0100:00:00

Google

osv.dev

adp grant

settingshomepageactivity

logic error

local escalation

user interaction

software

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

23.8%

JSON

In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

References

android.googlesource.com/platform/packages/apps/Settings/+/62fc1d269f5e754fc8f00b6167d79c3933b4c1f4

source.android.com/security/bulletin/2023-07-01

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

23.8%

JSON

Related for OSV:ASB-A-268193384