ASB-A-234013191

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-234013191.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-234013191
Aliases
  • A-234013191
  • CVE-2022-20470
Published
2022-12-01T00:00:00Z
Modified
2024-08-07T19:30:11.620364Z
Summary
Privilege Escalation in com.android.server.appwidget.AppWidgetServiceImpl#bindRemoteViewsService
Details

In bindRemoteViewsService of AppWidgetServiceImpl.java, there is a possible way to bypass background activity launch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10:0
Fixed
10:2022-12-01

Affected versions

Other

10

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "301939499715474086686814466129782162595",
                    "338666126514144047379684270714637681856",
                    "237068998572706870373509846032853599867",
                    "253068636425074951647775241125817726292",
                    "81309442384179410729868758149480836056",
                    "149351765488031146942561662630386098070",
                    "258822827992832751568478612410852030246",
                    "1472386385560218029928473278780656262"
                ]
            },
            "id": "ASB-A-234013191-60122e66",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1287.0,
                "function_hash": "208609670895234307832493313701423419039"
            },
            "id": "ASB-A-234013191-eb2953dc",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java",
                "function": "bindRemoteViewsService"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011"
    ],
    "spl": "2022-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2022-12-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "301939499715474086686814466129782162595",
                    "338666126514144047379684270714637681856",
                    "237068998572706870373509846032853599867",
                    "253068636425074951647775241125817726292",
                    "81309442384179410729868758149480836056",
                    "149351765488031146942561662630386098070",
                    "258822827992832751568478612410852030246",
                    "1472386385560218029928473278780656262"
                ]
            },
            "id": "ASB-A-234013191-8788b533",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1287.0,
                "function_hash": "208609670895234307832493313701423419039"
            },
            "id": "ASB-A-234013191-efe3eff5",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java",
                "function": "bindRemoteViewsService"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011"
    ],
    "spl": "2022-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-12-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1287.0,
                "function_hash": "208609670895234307832493313701423419039"
            },
            "id": "ASB-A-234013191-165e71a1",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java",
                "function": "bindRemoteViewsService"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "301939499715474086686814466129782162595",
                    "338666126514144047379684270714637681856",
                    "237068998572706870373509846032853599867",
                    "253068636425074951647775241125817726292",
                    "81309442384179410729868758149480836056",
                    "149351765488031146942561662630386098070",
                    "258822827992832751568478612410852030246",
                    "1472386385560218029928473278780656262"
                ]
            },
            "id": "ASB-A-234013191-a619de18",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011"
    ],
    "spl": "2022-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2022-12-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1287.0,
                "function_hash": "208609670895234307832493313701423419039"
            },
            "id": "ASB-A-234013191-ad3fa7e5",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java",
                "function": "bindRemoteViewsService"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "301939499715474086686814466129782162595",
                    "338666126514144047379684270714637681856",
                    "237068998572706870373509846032853599867",
                    "253068636425074951647775241125817726292",
                    "81309442384179410729868758149480836056",
                    "149351765488031146942561662630386098070",
                    "258822827992832751568478612410852030246",
                    "1472386385560218029928473278780656262"
                ]
            },
            "id": "ASB-A-234013191-bbad910f",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011"
    ],
    "spl": "2022-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2022-12-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "301939499715474086686814466129782162595",
                    "338666126514144047379684270714637681856",
                    "237068998572706870373509846032853599867",
                    "253068636425074951647775241125817726292",
                    "81309442384179410729868758149480836056",
                    "149351765488031146942561662630386098070",
                    "258822827992832751568478612410852030246",
                    "1472386385560218029928473278780656262"
                ]
            },
            "id": "ASB-A-234013191-a214aa4c",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1287.0,
                "function_hash": "208609670895234307832493313701423419039"
            },
            "id": "ASB-A-234013191-c0a2b185",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java",
                "function": "bindRemoteViewsService"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011"
    ],
    "spl": "2022-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}