ASB-A-157320644

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-157320644.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-157320644
Aliases
  • A-157320644
  • CVE-2021-0645
Published
2021-08-01T00:00:00Z
Modified
2024-08-07T19:29:07.273904Z
Summary
[Android 11 DP4, Build 6455311] - Operations on the external application storage directory are not restricted
Details

In shouldBlockFromTree of ExternalStorageProvider.java, there is a possible permissions bypass. This could lead to local escalation of privilege, allowing an app to read private app directories in external storage, which should be restricted in Android 11, with no additional execution privileges needed. User interaction is needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2021-08-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 773.0,
                "function_hash": "21264950629884566867052038175961168832"
            },
            "id": "ASB-A-157320644-06ed280d",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/1ea98d44490a2383a604b546a5671a783c1000dd",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java",
                "function": "shouldBlockFromTree"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/1ea98d44490a2383a604b546a5671a783c1000dd"
    ],
    "spl": "2021-08-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}