In requestRouteToHostAddress of ConnectivityService.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "314799369627835642921827884396392181379", "9030396507336448212934982012430864371", "211211637072040028664152410553025331110", "101724637114009651002447169703361275422", "229345486118179885689352253295393278836", "311731141835569413312801846668454551622", "324190697714092880881121812681882346648" ] }, "id": "PUB-A-193801134-731290f9", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/b2c286816d35877ffe22e70f5bc1c03c6d03b214", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java" }, "signature_type": "Line" }, { "digest": { "length": 1579.0, "function_hash": "68085344819532462762135832814978335987" }, "id": "PUB-A-193801134-d910352b", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/b2c286816d35877ffe22e70f5bc1c03c6d03b214", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java", "function": "requestRouteToHostAddress" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Connectivity/+/b2c286816d35877ffe22e70f5bc1c03c6d03b214" ], "spl": "2021-12-01", "severity": "Moderate", "types": [ "ID" ] }