In openFileAndEnforcePathPermissionsHelper of MediaProvider.java, there is a possible bypass of a permissions check due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "function_hash": "165616400455024994892517906895191784291", "length": 558.0 }, "signature_version": "v1", "deprecated": false, "source": "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/b50868065a4cf0c15e96aea66732afc89c388022", "id": "ASB-A-200682135-5f359beb", "signature_type": "Function", "target": { "file": "src/com/android/providers/media/MediaProvider.java", "function": "openTypedAssetFileCommon" } }, { "digest": { "function_hash": "112285523604073142095418550921513705140", "length": 1420.0 }, "signature_version": "v1", "deprecated": false, "source": "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/b50868065a4cf0c15e96aea66732afc89c388022", "id": "ASB-A-200682135-8b355753", "signature_type": "Function", "target": { "file": "src/com/android/providers/media/MediaProvider.java", "function": "openFileCommon" } }, { "digest": { "function_hash": "284525932788735169382226148928346094244", "length": 2377.0 }, "signature_version": "v1", "deprecated": false, "source": "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/b50868065a4cf0c15e96aea66732afc89c388022", "id": "ASB-A-200682135-962c8aa2", "signature_type": "Function", "target": { "file": "src/com/android/providers/media/MediaProvider.java", "function": "openFileAndEnforcePathPermissionsHelper" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "301230924079322411707306435658694167231", "119934892804168007671710819972308779864", "199487414863393805613893393325696610053", "162360384384749213345567536258975167779", "281055015758836343142548915437798574571", "221706412158811096265614557779732931585", "182383650732400534176262118348651346131", "185664529873386261295334187875465343000", "172024512681413809249593304452825948661", "187769825546625509013337805616455216952", "253087205555732787596386662491868256880", "134226128641440851766864797113642402358", "95336984391022107399284068656457382680", "82787907556720293565485704345509551568", "213204510778106549042434355760192794507", "332959931777799172079287323201771234549", "133596333348576970970733937787512775629", "1694689932720584837483373116289838099", "246425859373065730087414984618554517129", "69207298254231555346135493797051147018", "146011506290389155650539787564751170842", "250478298507667485277041063687181726894", "158519083428419644750957911501626877546", "254102938929140759440146827680883211708", "162879964757682414177023233577190795421", "310358380949384310875695053651920800400", "43233373684009478504010354450779091670", "165570269486723337793374398703277539992", "197756927111725734253362481862997469015", "185040904275557993485879863883766089670", "3846512432080304883829143243894092442", "24322872871318015983352795926468960142", "315278518823851250907608978082096455149", "103539333113218161862557549421981177779", "335093249454313703290108671264029322501", "83724094901120736497911731160934322367", "303279304179388736378044696196841160238", "99654987882633657501185966106724953567", "333337238505504014933896228287819450521", "330401764247701592708522675639968086618", "11559575761700046304819877678158831154", "63189297716160860855887423975874749820" ] }, "signature_version": "v1", "deprecated": false, "source": "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/b50868065a4cf0c15e96aea66732afc89c388022", "id": "ASB-A-200682135-e3310dcc", "signature_type": "Line", "target": { "file": "src/com/android/providers/media/MediaProvider.java" } } ], "fixes": [ "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/b50868065a4cf0c15e96aea66732afc89c388022" ], "spl": "2022-02-01" }