PUB-A-250573776

See a problem?
Import Source
https://storage.googleapis.com/android-osv/PUB-A-250573776.json
JSON Data
https://api.osv.dev/v1/vulns/PUB-A-250573776
Aliases
  • A-250573776
  • CVE-2023-20975
Published
2023-06-01T00:00:00Z
Modified
2024-08-29T07:13:11.218744Z
Summary
Bypassing UserManager.DISALLOW_CONTENT_CAPTURE to enable content capture
Details

In getAvailabilityStatus of EnableContentCapturePreferenceController.java, there is a possible way to bypass DISALLOWCONTENTCAPTURE due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/packages/apps/Settings

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13-next:0
Fixed
13-next:2023-06-01

Affected versions

Other

13-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "match_only_versions": [
                "13-next"
            ],
            "digest": {
                "length": 166.0,
                "function_hash": "258326527094683490707070192044831391883"
            },
            "id": "PUB-A-250573776-5b7f6683",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/a1ca72224da3a87d3117e764dfea35e03f62a182",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/privacy/EnableContentCapturePreferenceController.java",
                "function": "getAvailabilityStatus"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "13-next"
            ],
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "230878898972108947448676599731865036895",
                    "29929630303618403406873241733712735071",
                    "43171703898393838406260968717756894712",
                    "202220144456139908321737172207194654673",
                    "141297438035133473302776685006771028195",
                    "314980342124334971502357072826993007426",
                    "198523617367747830504737027296671495035",
                    "321352975154569528164620798525210741119",
                    "167566222161009494756955802324480295557"
                ]
            },
            "id": "PUB-A-250573776-fc2eddb4",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/a1ca72224da3a87d3117e764dfea35e03f62a182",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/privacy/EnableContentCapturePreferenceController.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/apps/Settings/+/a1ca72224da3a87d3117e764dfea35e03f62a182"
    ],
    "spl": "2023-06-01",
    "severity": "Moderate",
    "types": [
        "EoP"
    ]
}