Potential Local Escalation of Privilege Vulnerability in PermissionManagerServiceImpl
CVE-2023-21270

7.8HIGH

Key Information:

Vendor: Google
Status: Andrioid
Vendor: CVE Published:; 19 November 2024

What is CVE-2023-21270?

In the PermissionManagerServiceImpl.java of Android, a flaw exists in the restorePermissionState function that could allow malicious applications to retain permissions they should have lost after system updates. Incorrect handling of permission flags means that apps might bypass the intended restrictions designed to revoke certain permissions. Exploitation of this vulnerability necessitates user execution privileges, enabling attackers to escalate their access without needing any user interaction, which amplifies the risk profile associated with this vulnerability.

Affected Version(s)

Andrioid sc-dev

Andrioid sc-v2-dev

Andrioid tm-dev

References

https://source.android.com/security/bulletin/2023-08-01

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2024
Vulnerability Reserved
Nov 3, 2022

Google

What is CVE-2023-21270?

Affected Version(s)

References

CVSS V3.1

Timeline