In checkUriPermission of MediaProvider.java , there is a possible way to gain access to the content of media provider collections due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 706.0, "function_hash": "4474091377632993188748744114478412065" }, "id": "ASB-A-197302116-8466e10a", "source": "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/a728dfa19c2601b576a718fd9f79916bccd07c0e", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/providers/media/MediaProvider.java", "function": "checkCallingPermissionGlobal" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "25127089540446830365776893669670367074", "52654365560282741827295200764621425196", "26300234619064364160552495580696396765", "234892767815313923050612973569646278697" ] }, "id": "ASB-A-197302116-bed77eec", "source": "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/a728dfa19c2601b576a718fd9f79916bccd07c0e", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/providers/media/MediaProvider.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/a728dfa19c2601b576a718fd9f79916bccd07c0e" ], "spl": "2022-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 473.0, "function_hash": "77917397673266524374997186027548272186" }, "id": "ASB-A-197302116-82cb918e", "source": "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/76f725361312644461b9021380ba4d0d9d32108e", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/providers/media/MediaProvider.java", "function": "checkCallingPermissionGlobal" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "179488332357500760464235199868250000541", "187478289198325735826983537232858024645", "120491782560672794494210877229389813743", "92600504435141915104528076797454285329", "127963006318052941156864521487158640799", "73548561541516981385917645259986818141", "285244454391137702933056196617636423388", "266185567679167196513501867627317679055", "182525984290406380742302441291159798810", "68813998502226990251331405337490877221", "8323709720999923258340560131546100764", "58667546572850305526766049867153733009", "186725081679960081437720087514013561272", "226549758348081416692860462691351302638", "25127089540446830365776893669670367074", "52654365560282741827295200764621425196", "170003878977492606213118720174031857260", "155206640671181671793224228347242975948" ] }, "id": "ASB-A-197302116-9d38cdcb", "source": "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/76f725361312644461b9021380ba4d0d9d32108e", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/providers/media/MediaProvider.java" }, "signature_type": "Line" }, { "digest": { "length": 1361.0, "function_hash": "265008385440246623604938998864186753709" }, "id": "ASB-A-197302116-e8214d8c", "source": "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/76f725361312644461b9021380ba4d0d9d32108e", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/providers/media/MediaProvider.java", "function": "checkUriPermission" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/providers/MediaProvider/+/76f725361312644461b9021380ba4d0d9d32108e" ], "spl": "2022-05-01", "severity": "High", "types": [ "EoP" ] }