ASB-A-210065877

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-210065877.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-210065877
Aliases
  • A-210065877
  • CVE-2022-20450
Published
2022-11-01T00:00:00Z
Modified
2024-08-07T19:29:34.520165Z
Summary
Apps can get the ACTIVITY_RECOGNITION runtime permission silently via app upgrade on Q and above
Details

In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way to bypass user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2022-11-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 10816.0,
                "function_hash": "313395618697061706143828738755605122814"
            },
            "id": "ASB-A-210065877-7f44be55",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java",
                "function": "restorePermissionState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "70337220111095111239554531117300270560",
                    "37680386246374956347998185350697731801",
                    "194092347827170068529915649080525668756",
                    "37904075820297233052904941461534405475"
                ]
            },
            "id": "ASB-A-210065877-82e03571",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "192329061750754579635130939936978434760",
                    "180845804502122717465318985068976461465",
                    "177498258042140996260575903969205252874",
                    "157672850619058297516428766977646296191",
                    "49957728695482223994996026688992799860",
                    "155700006602593996535553090055359115192",
                    "189503656619447869696913099614599607398",
                    "332805842555046017036491288664338011557",
                    "52131025358373768466184263356344105817",
                    "138745309758142223385199693376003711444",
                    "291971255444764233347146488762018284859",
                    "349162356191215844468090734286535060",
                    "163690546655641809481703346611962914311",
                    "173906844637934707168991241424116221235",
                    "171342722970669750398215088449046445017",
                    "293841873522683363379165884003241045615",
                    "156316419184537633419863264451999548929",
                    "198141498415930033094452607809662987630",
                    "60549211253879352751947260189873568675",
                    "191085721430628901071938960134422239855",
                    "236732265184660035366467935863000898408",
                    "75407180318704451699303769443305508093"
                ]
            },
            "id": "ASB-A-210065877-b9c7d2ac",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "140733965518960597410749120412513228337",
                    "133000066657174067784792790976086256649"
                ]
            },
            "id": "ASB-A-210065877-d5ede725",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/android/content/pm/PackageManagerInternal.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4"
    ],
    "spl": "2022-11-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-11-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "204068925692065732622297449105718764950",
                    "189002681868105969675858536182292719692",
                    "27119499515421481643088173525291392512",
                    "309020344221767103913966043106851831373",
                    "94532263032810138178452766913210053001",
                    "145770841673157355582929213949103756484",
                    "121858566232927313939010965935187168921",
                    "177498258042140996260575903969205252874",
                    "157672850619058297516428766977646296191",
                    "122586252879616957845736246789726967874",
                    "49295243026898906572170636147125349825",
                    "140287879494077765913243099683714685357",
                    "338583801412692770865376243698492200826",
                    "312154753232476171165435569596566928389",
                    "251327487216216132552046834505879001760",
                    "272786978245618890801536400053749027092",
                    "16755325034230407185356123000104119490",
                    "266325398593348129313837249785764061006",
                    "81183483232826653128425546244167158126",
                    "89583781141578730997026421727059260226",
                    "137025581340638661145686941050757022756",
                    "247875880308441436746754417505263827341",
                    "107383290604112603127335460872191143314",
                    "259745650538462562304317647837850807378",
                    "110635991185879868564817031942272871690",
                    "81522928803926506048863656976925063374",
                    "233020365937013684941229783684964983097",
                    "68476467424128480975241919625541521298",
                    "52764643450515969104304985049234796646",
                    "62950841911947415746268478580969992406",
                    "236732265184660035366467935863000898408",
                    "75407180318704451699303769443305508093",
                    "108587633537507210242609878158511307392",
                    "223346374230332314202607025582642319083",
                    "25769565521317829918966238158725570349",
                    "35018291119125253438113329575662430308",
                    "51657818545401116001910514239752911792",
                    "277889238348594391941544173186934120630",
                    "212104117500095294343351554471806212485",
                    "256620539703273529247375758003833936612"
                ]
            },
            "id": "ASB-A-210065877-0d418034",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/23aac9cb8eb4545a79bafef3c14864e0aa59e228",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 8765.0,
                "function_hash": "122957904428876774460389341088842378663"
            },
            "id": "ASB-A-210065877-fe0a9f79",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/23aac9cb8eb4545a79bafef3c14864e0aa59e228",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java",
                "function": "restorePermissionState"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/23aac9cb8eb4545a79bafef3c14864e0aa59e228"
    ],
    "spl": "2022-11-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2022-11-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 8765.0,
                "function_hash": "122957904428876774460389341088842378663"
            },
            "id": "ASB-A-210065877-5d9ce940",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dd48aab843ff7b19fa5fbde987d84b76c92922f2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java",
                "function": "restorePermissionState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "204068925692065732622297449105718764950",
                    "189002681868105969675858536182292719692",
                    "27119499515421481643088173525291392512",
                    "309020344221767103913966043106851831373",
                    "94532263032810138178452766913210053001",
                    "145770841673157355582929213949103756484",
                    "121858566232927313939010965935187168921",
                    "177498258042140996260575903969205252874",
                    "157672850619058297516428766977646296191",
                    "122586252879616957845736246789726967874",
                    "49295243026898906572170636147125349825",
                    "140287879494077765913243099683714685357",
                    "338583801412692770865376243698492200826",
                    "312154753232476171165435569596566928389",
                    "251327487216216132552046834505879001760",
                    "272786978245618890801536400053749027092",
                    "16755325034230407185356123000104119490",
                    "266325398593348129313837249785764061006",
                    "81183483232826653128425546244167158126",
                    "89583781141578730997026421727059260226",
                    "137025581340638661145686941050757022756",
                    "247875880308441436746754417505263827341",
                    "107383290604112603127335460872191143314",
                    "259745650538462562304317647837850807378",
                    "110635991185879868564817031942272871690",
                    "81522928803926506048863656976925063374",
                    "233020365937013684941229783684964983097",
                    "68476467424128480975241919625541521298",
                    "52764643450515969104304985049234796646",
                    "62950841911947415746268478580969992406",
                    "236732265184660035366467935863000898408",
                    "75407180318704451699303769443305508093",
                    "108587633537507210242609878158511307392",
                    "223346374230332314202607025582642319083",
                    "25769565521317829918966238158725570349",
                    "35018291119125253438113329575662430308",
                    "51657818545401116001910514239752911792",
                    "277889238348594391941544173186934120630",
                    "212104117500095294343351554471806212485",
                    "256620539703273529247375758003833936612"
                ]
            },
            "id": "ASB-A-210065877-90f2fda1",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dd48aab843ff7b19fa5fbde987d84b76c92922f2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerService.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/dd48aab843ff7b19fa5fbde987d84b76c92922f2"
    ],
    "spl": "2022-11-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2022-11-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "204068925692065732622297449105718764950",
                    "189002681868105969675858536182292719692",
                    "27119499515421481643088173525291392512",
                    "309020344221767103913966043106851831373",
                    "94532263032810138178452766913210053001",
                    "145770841673157355582929213949103756484",
                    "121858566232927313939010965935187168921",
                    "177498258042140996260575903969205252874",
                    "157672850619058297516428766977646296191",
                    "122586252879616957845736246789726967874",
                    "49295243026898906572170636147125349825",
                    "140287879494077765913243099683714685357",
                    "338583801412692770865376243698492200826",
                    "312154753232476171165435569596566928389",
                    "251327487216216132552046834505879001760",
                    "272786978245618890801536400053749027092",
                    "16755325034230407185356123000104119490",
                    "266325398593348129313837249785764061006",
                    "81183483232826653128425546244167158126",
                    "89583781141578730997026421727059260226",
                    "137025581340638661145686941050757022756",
                    "247875880308441436746754417505263827341",
                    "107383290604112603127335460872191143314",
                    "259745650538462562304317647837850807378",
                    "110635991185879868564817031942272871690",
                    "81522928803926506048863656976925063374",
                    "233020365937013684941229783684964983097",
                    "68476467424128480975241919625541521298",
                    "52764643450515969104304985049234796646",
                    "62950841911947415746268478580969992406",
                    "236732265184660035366467935863000898408",
                    "75407180318704451699303769443305508093",
                    "108587633537507210242609878158511307392",
                    "223346374230332314202607025582642319083",
                    "25769565521317829918966238158725570349",
                    "35018291119125253438113329575662430308",
                    "51657818545401116001910514239752911792",
                    "277889238348594391941544173186934120630",
                    "212104117500095294343351554471806212485",
                    "256620539703273529247375758003833936612"
                ]
            },
            "id": "ASB-A-210065877-1e2ada85",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/41dc761e081d8c6de48ddc3b960e12e4fd24c8b7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 9214.0,
                "function_hash": "49249527759310573510656247232703678512"
            },
            "id": "ASB-A-210065877-7f63d209",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/41dc761e081d8c6de48ddc3b960e12e4fd24c8b7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java",
                "function": "restorePermissionState"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/41dc761e081d8c6de48ddc3b960e12e4fd24c8b7"
    ],
    "spl": "2022-11-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}