ASB-A-272024837
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-272024837.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-272024837
- Aliases
-
- A-272024837
- CVE-2023-40111
- Published
- 2023-11-01T00:00:00Z
- Modified
- 2024-08-07T19:30:10.449086Z
- Summary
- [none]
- Details
-
In setMediaButtonReceiver of MediaSessionRecord.java, there is a possible way to send a pending intent on behalf of system_server due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
- References
Affected packages
Android / platform/frameworks/base
Package
Ecosystem specific
{
"vanir_signatures": [
{
"match_only_versions": [
"14-next"
],
"digest": {
"threshold": 0.9,
"line_hashes": [
"236770121537802621648311122075269459875",
"122654803527651144676053160484220879813",
"95741851566043158909238225212734541211",
"241886798512878965046143038112009769442",
"272603983022526998761392008370444589241",
"243149956597107806943455836161843096291",
"106995219572113423590683442444148216646",
"299958652213519946857433406139940572229",
"259415800374911855473008150984982785939"
]
},
"id": "ASB-A-272024837-5cf0e1e6",
"source": "https://android.googlesource.com/platform/frameworks/base/+/fda5a94aaf91933f8602e00d78ad9ba4872c72f4",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "media/java/android/media/session/MediaSession.java"
},
"signature_type": "Line"
},
{
"match_only_versions": [
"14-next"
],
"digest": {
"threshold": 0.9,
"line_hashes": [
"299081490920259318877727632521476767922",
"302472848972615289292183195072773805259",
"241865238823797463014263604621323504252",
"298315331419055250318672200793920101621",
"147614917347802771605840369520412201880",
"136949481901407557367519482498560956647",
"276394434875134967972949936602295470676",
"95684553906759592070313294543724405523",
"100404887466980931174629478934732371970",
"39429240874014650544371897720248906735",
"261979918624745673946407769660983652040",
"295816804738498243063969974468879949518",
"24545805705645075083901089211910123025"
]
},
"id": "ASB-A-272024837-b21b403f",
"source": "https://android.googlesource.com/platform/frameworks/base/+/fda5a94aaf91933f8602e00d78ad9ba4872c72f4",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/media/MediaSessionRecord.java"
},
"signature_type": "Line"
},
{
"match_only_versions": [
"14-next"
],
"digest": {
"length": 410.0,
"function_hash": "325366029875122455442385050112133143490"
},
"id": "ASB-A-272024837-cf048780",
"source": "https://android.googlesource.com/platform/frameworks/base/+/fda5a94aaf91933f8602e00d78ad9ba4872c72f4",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/media/MediaSessionRecord.java",
"function": "setMediaButtonReceiver"
},
"signature_type": "Function"
},
{
"match_only_versions": [
"14-next"
],
"digest": {
"length": 184.0,
"function_hash": "8970144000333433291049366764681940003"
},
"id": "ASB-A-272024837-e2c09b8c",
"source": "https://android.googlesource.com/platform/frameworks/base/+/fda5a94aaf91933f8602e00d78ad9ba4872c72f4",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "media/java/android/media/session/MediaSession.java",
"function": "setMediaButtonReceiver"
},
"signature_type": "Function"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/fda5a94aaf91933f8602e00d78ad9ba4872c72f4"
],
"spl": "2023-11-01",
"severity": "High",
"types": [
"EoP"
]
}
Android / platform/frameworks/base
Package
Ecosystem specific
{
"vanir_signatures": [
{
"match_only_versions": [
"14"
],
"digest": {
"threshold": 0.9,
"line_hashes": [
"39429240874014650544371897720248906735",
"261979918624745673946407769660983652040",
"295816804738498243063969974468879949518",
"24545805705645075083901089211910123025"
]
},
"id": "ASB-A-272024837-20b9b59d",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d455e21711c167223f7d0696809a4e411683182c",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/media/MediaSessionRecord.java"
},
"signature_type": "Line"
},
{
"match_only_versions": [
"14"
],
"digest": {
"length": 410.0,
"function_hash": "325366029875122455442385050112133143490"
},
"id": "ASB-A-272024837-25eaa2bb",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d455e21711c167223f7d0696809a4e411683182c",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/media/MediaSessionRecord.java",
"function": "setMediaButtonReceiver"
},
"signature_type": "Function"
},
{
"match_only_versions": [
"14"
],
"digest": {
"length": 184.0,
"function_hash": "8970144000333433291049366764681940003"
},
"id": "ASB-A-272024837-4be61c7a",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d455e21711c167223f7d0696809a4e411683182c",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "media/java/android/media/session/MediaSession.java",
"function": "setMediaButtonReceiver"
},
"signature_type": "Function"
},
{
"match_only_versions": [
"14"
],
"digest": {
"threshold": 0.9,
"line_hashes": [
"236770121537802621648311122075269459875",
"122654803527651144676053160484220879813",
"95741851566043158909238225212734541211",
"243149956597107806943455836161843096291",
"106995219572113423590683442444148216646",
"299958652213519946857433406139940572229",
"259415800374911855473008150984982785939"
]
},
"id": "ASB-A-272024837-71b62f18",
"source": "https://android.googlesource.com/platform/frameworks/base/+/d455e21711c167223f7d0696809a4e411683182c",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "media/java/android/media/session/MediaSession.java"
},
"signature_type": "Line"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/d455e21711c167223f7d0696809a4e411683182c"
],
"spl": "2023-11-01",
"severity": "High",
"types": [
"EoP"
]
}