ASB-A-254736794

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-254736794.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-254736794
Aliases
  • A-254736794
  • CVE-2023-21254
Published
2023-07-01T00:00:00Z
Modified
2024-08-07T19:29:33.750302Z
Summary
One-time permissions can be held indefinitely due to activity manager bug
Details

In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13-next:0
Fixed
13-next:2023-07-01

Affected versions

Other

13-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 230.0,
                "function_hash": "286731377711939635674905074908431232409"
            },
            "id": "ASB-A-254736794-150db067",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java",
                "function": "getCurrentState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "2012088019728896796373346529697119661",
                    "95794887678244685017967769009345707309",
                    "269473325157219616924923563745773375448",
                    "154820972000404752573118643516014957341",
                    "169098446295692466798229884776274637005",
                    "67219821689456268388489880111183157946",
                    "81611614958380172139615727478591205864",
                    "225201598122517943733666693027874673645",
                    "237205250153135466490122010482236680762",
                    "258373914556850159813516484305773392827",
                    "125910280071661462423652500860628301922",
                    "113538152592414822415748897100386305573",
                    "233144689361163071165913764396211623748",
                    "272268049520737346018390666615642509419",
                    "327200272399841684421769554567479185010",
                    "197512901002234036421909392540332515687",
                    "48230772581453563322002997973370902025",
                    "231488850382554498332132733718306136571",
                    "105095112724300480145608650652271240823",
                    "238399159099680063683957948576794709363",
                    "151419067622790176455733014614730665027",
                    "301034873234891899052665121603635606246",
                    "250514607572004205542612161216221479765",
                    "247503341480896072712975524814651163330"
                ]
            },
            "id": "ASB-A-254736794-185febc0",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 290.0,
                "function_hash": "66636180706436326696362511061246090529"
            },
            "id": "ASB-A-254736794-b35f72e7",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java",
                "function": "OneTimePermissionUserManager"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7"
    ],
    "spl": "2023-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2023-07-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "2012088019728896796373346529697119661",
                    "95794887678244685017967769009345707309",
                    "269473325157219616924923563745773375448",
                    "154820972000404752573118643516014957341",
                    "104213317420452091492353394712202028201",
                    "115008296082753412527057053867333611588",
                    "327946308160344602239660896448104314510",
                    "225201598122517943733666693027874673645",
                    "237205250153135466490122010482236680762",
                    "258373914556850159813516484305773392827",
                    "125910280071661462423652500860628301922",
                    "113538152592414822415748897100386305573",
                    "233144689361163071165913764396211623748",
                    "39614901207402222558656648053840086968",
                    "69252160723633962585538215955562754152",
                    "197512901002234036421909392540332515687",
                    "48230772581453563322002997973370902025",
                    "231488850382554498332132733718306136571",
                    "105095112724300480145608650652271240823",
                    "238399159099680063683957948576794709363",
                    "151419067622790176455733014614730665027",
                    "301034873234891899052665121603635606246",
                    "250514607572004205542612161216221479765",
                    "247503341480896072712975524814651163330"
                ]
            },
            "id": "ASB-A-254736794-098c99e5",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 230.0,
                "function_hash": "286731377711939635674905074908431232409"
            },
            "id": "ASB-A-254736794-5294ec01",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java",
                "function": "getCurrentState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 265.0,
                "function_hash": "189535468120640384763674111584510550352"
            },
            "id": "ASB-A-254736794-7993dbd8",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java",
                "function": "OneTimePermissionUserManager"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3"
    ],
    "spl": "2023-07-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}