ASB-A-174046397

See a problem?

Import Source

https://storage.googleapis.com/android-osv/ASB-A-174046397.json

JSON Data

https://api.osv.dev/v1/vulns/ASB-A-174046397

Aliases

A-174046397
CVE-2021-0487

Published

2021-05-01T00:00:00Z

Modified

2026-06-08T15:01:31.246215948Z

Summary

[none]

Details

In onCreate of CalendarDebugActivity.java, there is a possible way to export calendar data to the sdcard without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/packages/providers/CalendarProvider

Package

Name: platform/packages/providers/CalendarProvider

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11:0

Fixed

11:2021-05-01

Affected versions

Other

Ecosystem specific

{
    "spl": "2021-05-01",
    "fixes": [
        "https://android.googlesource.com/platform/packages/providers/CalendarProvider/+/11fe2048a5aa5d3d3db315194921130bf2407919"
    ],
    "severity": "High",
    "vanir_signatures": [
        {
            "target": {
                "file": "src/com/android/providers/calendar/CalendarDebugActivity.java"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "60518912781230707920037808092477919804",
                    "119739717399118429099288361389180461437",
                    "322385714673689406118538491383202140376"
                ]
            },
            "id": "ASB-A-174046397-ecaf0a28",
            "signature_type": "Line",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://android.googlesource.com/platform/packages/providers/CalendarProvider/+/11fe2048a5aa5d3d3db315194921130bf2407919"
        }
    ],
    "types": [
        "EoP"
    ]
}

Database specific

source

"https://storage.googleapis.com/android-osv/ASB-A-174046397.json"