ASB-A-240663194

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-240663194.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-240663194
Aliases
  • A-240663194
  • CVE-2022-20475
Published
2022-12-01T00:00:00Z
Modified
2024-08-07T19:30:09.511631Z
Summary
Task hijacking of apps that set allowTaskReparenting="true"
Details

In test of ResetTargetTaskHelper.java, there is a possible hijacking of any app which sets allowTaskReparenting="true" due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2022-12-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1839.0,
                "function_hash": "79367335984536868683060388927323698399"
            },
            "id": "ASB-A-240663194-31871ecc",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7da08c6bd31584744e91eb6b3914166344ecae33",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java",
                "function": "processActivity"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "156696531665261001840361105050140513977",
                    "141577864991975549992388657836996666940",
                    "176173783978772524694805082768982610046",
                    "40656254098996569909265033914126337733",
                    "6035741319983973340794305195343138500",
                    "106076101888920704290679117356166803734",
                    "174141138331974519528807865623126836579",
                    "333588990833629625277664792135720220197"
                ]
            },
            "id": "ASB-A-240663194-b69388b4",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7da08c6bd31584744e91eb6b3914166344ecae33",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/7da08c6bd31584744e91eb6b3914166344ecae33"
    ],
    "spl": "2022-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-12-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1839.0,
                "function_hash": "79367335984536868683060388927323698399"
            },
            "id": "ASB-A-240663194-689311e5",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java",
                "function": "processActivity"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "156696531665261001840361105050140513977",
                    "141577864991975549992388657836996666940",
                    "176173783978772524694805082768982610046",
                    "40656254098996569909265033914126337733",
                    "6035741319983973340794305195343138500",
                    "106076101888920704290679117356166803734",
                    "174141138331974519528807865623126836579",
                    "333588990833629625277664792135720220197"
                ]
            },
            "id": "ASB-A-240663194-6c5655b0",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb"
    ],
    "spl": "2022-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2022-12-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "156696531665261001840361105050140513977",
                    "141577864991975549992388657836996666940",
                    "176173783978772524694805082768982610046",
                    "40656254098996569909265033914126337733",
                    "6035741319983973340794305195343138500",
                    "106076101888920704290679117356166803734",
                    "174141138331974519528807865623126836579",
                    "333588990833629625277664792135720220197"
                ]
            },
            "id": "ASB-A-240663194-6ab63711",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1839.0,
                "function_hash": "79367335984536868683060388927323698399"
            },
            "id": "ASB-A-240663194-ae0b3db2",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java",
                "function": "processActivity"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/7af50c4d5f0354438872167b0e446930caca9deb"
    ],
    "spl": "2022-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2022-12-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1833.0,
                "function_hash": "196881039074853251030040489618889753042"
            },
            "id": "ASB-A-240663194-115ef8b1",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/f63ee3bb84b6a6ebf34475f433471cf4c28fb3c7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java",
                "function": "test"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "156696531665261001840361105050140513977",
                    "141577864991975549992388657836996666940",
                    "176173783978772524694805082768982610046",
                    "40656254098996569909265033914126337733",
                    "6035741319983973340794305195343138500",
                    "106076101888920704290679117356166803734",
                    "174141138331974519528807865623126836579",
                    "333588990833629625277664792135720220197"
                ]
            },
            "id": "ASB-A-240663194-24f3ed21",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/f63ee3bb84b6a6ebf34475f433471cf4c28fb3c7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/ResetTargetTaskHelper.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/f63ee3bb84b6a6ebf34475f433471cf4c28fb3c7"
    ],
    "spl": "2022-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}