search

hshivhare67 / platform_frameworks_base_AOSP10_r33_CVE-2022-20489

Other
0 stars 1 forks source link

baseandroid-10.0.0_r34: 177 vulnerabilities (highest severity is: 8.0) - autoclosed #2

Closed mend-bolt-for-github[bot] closed 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - baseandroid-10.0.0_r34

Android framework classes and services

Library home page: https://android.googlesource.com/platform/frameworks/base

Found in HEAD commit: 0e5e86d7401323e80c8f9d7a515167bf5d66b6a8

Vulnerable Source Files (2)

/core/java/android/accounts/GrantCredentialsPermissionActivity.java /core/java/android/accounts/GrantCredentialsPermissionActivity.java

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (baseandroid version) Remediation Available
CVE-2021-0433 High 8.0 baseandroid-10.0.0_r34 Direct android-11.0.0_r34
CVE-2021-0705 High 7.8 detected in multiple dependencies Direct android-11.0.0_r43
CVE-2021-0708 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r43
CVE-2023-20950 High 7.8 detected in multiple dependencies Direct android-13.0.0_r1
CVE-2020-0417 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r46
CVE-2023-21097 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r38
CVE-2021-0391 High 7.8 detected in multiple dependencies Direct android-11.0.0_r32
CVE-2021-39704 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2023-21098 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r38
CVE-2023-21099 High 7.8 detected in multiple dependencies Direct android-13.0.0_r38
CVE-2020-0388 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r46
CVE-2022-20474 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2021-0799 High 7.8 baseandroid-10.0.0_r34 Direct android-12.0.0_r5
CVE-2022-20470 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2021-0439 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r34
CVE-2021-0317 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r26
CVE-2023-21017 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r32
CVE-2023-20964 High 7.8 detected in multiple dependencies Direct android-13.0.0_r32
CVE-2023-20963 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r32
CVE-2021-0442 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r34
CVE-2021-0683 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r43
CVE-2021-0327 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r29
CVE-2020-0391 High 7.8 baseandroid-10.0.0_r34 Direct android-9.0.0_r60,android-10.0.0_r46
CVE-2021-0927 High 7.8 baseandroid-10.0.0_r34 Direct android-12.0.0_r8
CVE-2023-21109 High 7.8 detected in multiple dependencies Direct android-13.0.0_r49
CVE-2021-0928 High 7.8 detected in multiple dependencies Direct N/A
CVE-2021-39696 High 7.8 baseandroid-10.0.0_r34 Direct android-12.1.0_r1
CVE-2020-0439 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r12
CVE-2023-21110 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r49
CVE-2020-0203 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r37
CVE-2022-20452 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r12
CVE-2020-0166 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r37
CVE-2021-0932 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2023-20944 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2023-21117 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r49
CVE-2020-0208 High 7.8 detected in multiple dependencies Direct android-10.0.0_r37
CVE-2023-20943 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2020-0209 High 7.8 detected in multiple dependencies Direct android-10.0.0_r37
CVE-2021-39619 High 7.8 detected in multiple dependencies Direct N/A
CVE-2023-21089 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r38
CVE-2022-20441 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r12
CVE-2023-21081 High 7.8 detected in multiple dependencies Direct android-13.0.0_r38
CVE-2020-0210 High 7.8 detected in multiple dependencies Direct android-10.0.0_r37
CVE-2021-0307 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r26
CVE-2021-0306 High 7.8 detected in multiple dependencies Direct android-11.0.0_r26
CVE-2023-20911 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2023-20917 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r32
CVE-2023-20916 High 7.8 detected in multiple dependencies Direct android-13.0.0_r1
CVE-2021-39630 High 7.8 baseandroid-10.0.0_r34 Direct android-12.0.0_r26
CVE-2023-20993 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2020-0227 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r37,android-9.0.0_r56,android-8.1.0_r76,android-8.0.0_r48
CVE-2021-0472 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r36
CVE-2021-0595 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r39
CVE-2021-0478 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r38
CVE-2022-20550 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r16
CVE-2023-20919 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r19
CVE-2021-0513 High 7.8 detected in multiple dependencies Direct android-11.0.0_r38
CVE-2022-20138 High 7.8 detected in multiple dependencies Direct android-12.1.0_r7
CVE-2022-20135 High 7.8 baseandroid-10.0.0_r34 Direct android-12.1.0_r7
CVE-2023-20920 High 7.8 detected in multiple dependencies Direct android-13.0.0_r19
CVE-2022-20419 High 7.8 detected in multiple dependencies Direct android-13.0.0_r7
CVE-2020-0114 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r37
CVE-2020-0115 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r37,android-9.0.0_r56,android-8.1.0_r76,android-8.0.0_r47
CVE-2022-20142 High 7.8 baseandroid-10.0.0_r34 Direct android-12.1.0_r7
CVE-2021-0645 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2020-0074 High 7.8 detected in multiple dependencies Direct N/A
CVE-2022-20124 High 7.8 baseandroid-10.0.0_r34 Direct android-12.1.0_r7
CVE-2022-20487 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2022-20486 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2020-27059 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r28
CVE-2022-20005 High 7.8 detected in multiple dependencies Direct android-12.1.0_r5
CVE-2022-20488 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2022-20004 High 7.8 baseandroid-10.0.0_r34 Direct android-12.1.0_r5
CVE-2021-0970 High 7.8 baseandroid-10.0.0_r34 Direct android-12.0.0_r16
CVE-2020-0401 High 7.8 baseandroid-10.0.0_r34 Direct android-8.0.0_r50,android-8.1.0_r80,android-9.0.0_r60,android-10.0.0_r46
CVE-2021-0334 High 7.8 baseandroid-10.0.0_r34 Direct android-11.0.0_r29
CVE-2022-20493 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r16
CVE-2022-20495 High 7.8 baseandroid-10.0.0_r34 Direct android-13.0.0_r16
CVE-2021-0337 High 7.8 detected in multiple dependencies Direct android-11.0.0_r19
CVE-2021-0339 High 7.8 detected in multiple dependencies Direct android-11.0.0_r1
CVE-2022-20491 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2022-20479 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2023-20906 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2022-20354 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2022-20478 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2022-20356 High 7.8 baseandroid-10.0.0_r34 Direct N/A
CVE-2020-0257 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r41
CVE-2020-0137 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r37
CVE-2020-0097 High 7.8 baseandroid-10.0.0_r34 Direct android-10.0.0_r34
CVE-2020-0098 High 7.8 detected in multiple dependencies Direct android-10.0.0_r34,android-8.0.0_r46,android-8.1.0_r76,android-9.0.0_r56
CVE-2020-0099 High 7.8 detected in multiple dependencies Direct android-8.0.0_r49, android-8.1.0_r79, android-9.0.0_r59, android-10.0.0_r44
CVE-2022-20485 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2022-20484 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2022-20480 High 7.8 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2019-2232 High 7.5 baseandroid-10.0.0_r34 Direct android-8.0.0_r41;android-8.1.0_r71;android-9.0.0_r51;android-10.0.0_r17
CVE-2020-0442 High 7.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r12
CVE-2020-0441 High 7.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r12
CVE-2021-0314 High 7.3 baseandroid-10.0.0_r34 Direct android-11.0.0_r26
CVE-2021-0954 High 7.3 baseandroid-10.0.0_r34 Direct N/A
CVE-2021-0315 High 7.3 baseandroid-10.0.0_r34 Direct android-11.0.0_r26
CVE-2021-0319 High 7.3 baseandroid-10.0.0_r34 Direct android-11.0.0_r26
CVE-2023-20921 High 7.3 baseandroid-10.0.0_r34 Direct android-13.0.0_r19
CVE-2021-0688 High 7.0 baseandroid-10.0.0_r34 Direct android-11.0.0_r43
CVE-2022-20007 High 7.0 baseandroid-10.0.0_r34 Direct android-12.1.0_r5
CVE-2022-20006 High 7.0 detected in multiple dependencies Direct android-12.1.0_r5
CVE-2022-20504 Medium 6.7 detected in multiple dependencies Direct android-13.0.0_r16
CVE-2020-0124 Medium 6.7 detected in multiple dependencies Direct android-10.0.0_r37
CVE-2021-0309 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r26
CVE-2021-0704 Medium 5.5 baseandroid-10.0.0_r34 Direct N/A
CVE-2021-0706 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r43
CVE-2021-39670 Medium 5.5 baseandroid-10.0.0_r34 Direct android-12.1.0_r5
CVE-2022-20500 Medium 5.5 baseandroid-10.0.0_r34 Direct android-13.0.0_r16
CVE-2020-0419 Medium 5.5 detected in multiple dependencies Direct N/A
CVE-2020-0389 Medium 5.5 baseandroid-10.0.0_r34 Direct android-10.0.0_r46
CVE-2022-20457 Medium 5.5 baseandroid-10.0.0_r34 Direct android-13.0.0_r12
CVE-2022-20455 Medium 5.5 detected in multiple dependencies Direct N/A
CVE-2021-0682 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r43
CVE-2021-0686 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r43
CVE-2022-20448 Medium 5.5 baseandroid-10.0.0_r34 Direct android-13.0.0_r12
CVE-2020-27098 Medium 5.5 detected in multiple dependencies Direct android-11.0.0_r1
CVE-2023-20930 Medium 5.5 detected in multiple dependencies Direct android-13.0.0_r49
CVE-2020-27097 Medium 5.5 detected in multiple dependencies Direct android-11.0.0_r1
CVE-2020-0443 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r12
CVE-2021-0651 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r46
CVE-2021-0653 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r46
CVE-2021-0931 Medium 5.5 baseandroid-10.0.0_r34 Direct android-12.0.0_r8
CVE-2021-0934 Medium 5.5 detected in multiple dependencies Direct android-13.0.0_r11
CVE-2023-21087 Medium 5.5 baseandroid-10.0.0_r34 Direct android-13.0.0_r38
CVE-2020-0178 Medium 5.5 baseandroid-10.0.0_r34 Direct android-10.0.0_r37
CVE-2021-0304 Medium 5.5 baseandroid-10.0.0_r34 Direct Replace or update the following file: GlobalScreenshot.java
CVE-2022-20425 Medium 5.5 baseandroid-10.0.0_r34 Direct android-13.0.0_r7
CVE-2023-20999 Medium 5.5 detected in multiple dependencies Direct android-13.0.0_r32
CVE-2023-20998 Medium 5.5 detected in multiple dependencies Direct android-13.0.0_r32
CVE-2023-20997 Medium 5.5 detected in multiple dependencies Direct android-13.0.0_r32
CVE-2023-20996 Medium 5.5 detected in multiple dependencies Direct android-13.0.0_r32
CVE-2020-0468 Medium 5.5 baseandroid-10.0.0_r34 Direct N/A
CVE-2020-0467 Medium 5.5 baseandroid-10.0.0_r34 Direct N/A
CVE-2020-0104 Medium 5.5 detected in multiple dependencies Direct android-10.0.0_r34,android-9.0.0_r56
CVE-2021-0599 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r38
CVE-2022-20414 Medium 5.5 detected in multiple dependencies Direct android-13.0.0_r7
CVE-2023-20922 Medium 5.5 baseandroid-10.0.0_r34 Direct android-13.0.0_r16
CVE-2020-0116 Medium 5.5 baseandroid-10.0.0_r34 Direct android-10.0.0_r37
CVE-2021-0480 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r36
CVE-2020-0239 Medium 5.5 baseandroid-10.0.0_r34 Direct android-9.0.0_r59,android-10.0.0_r41
CVE-2021-0521 Medium 5.5 detected in multiple dependencies Direct android-11.0.0_r38
CVE-2021-0644 Medium 5.5 baseandroid-10.0.0_r34 Direct android-11.0.0_r40
CVE-2022-20143 Medium 5.5 baseandroid-10.0.0_r34 Direct android-12.1.0_r7
CVE-2023-21026 Medium 5.5 baseandroid-10.0.0_r34 Direct android-13.0.0_r32
CVE-2020-0248 Medium 5.5 baseandroid-10.0.0_r34 Direct android-10.0.0_r41
CVE-2020-0249 Medium 5.5 baseandroid-10.0.0_r34 Direct android-8.0.0_r49,android-8.1.0_r79,android-9.0.0_r59,android-10.0.0_r41
CVE-2020-0247 Medium 5.5 detected in multiple dependencies Direct android-8.0.0_r49,android-8.1.0_r79,android-9.0.0_r59,android-10.0.0_r41
CVE-2020-0121 Medium 5.5 baseandroid-10.0.0_r34 Direct android-10.0.0_r37
CVE-2022-20011 Medium 5.5 baseandroid-10.0.0_r34 Direct android-12.1.0_r5
CVE-2022-20476 Medium 5.5 baseandroid-10.0.0_r34 Direct N/A
CVE-2022-20115 Medium 5.5 baseandroid-10.0.0_r34 Direct android-12.1.0_r5
CVE-2020-0415 Medium 5.5 baseandroid-10.0.0_r34 Direct N/A
CVE-2020-0258 Medium 5.5 baseandroid-10.0.0_r34 Direct android-10.0.0_r41
CVE-2022-20482 Medium 5.5 baseandroid-10.0.0_r34 Direct android-13.0.0_r16
CVE-2023-20909 Medium 5.5 detected in multiple dependencies Direct android-13.0.0_r38
CVE-2023-20908 Medium 5.5 baseandroid-10.0.0_r34 Direct android-13.0.0_r19
CVE-2021-0322 Medium 5.0 detected in multiple dependencies Direct android-11.0.0_r26
CVE-2021-0687 Medium 5.0 baseandroid-10.0.0_r34 Direct android-11.0.0_r43
CVE-2022-20394 Medium 5.0 detected in multiple dependencies Direct android-13.0.0_r1
CVE-2020-0092 Medium 5.0 detected in multiple dependencies Direct android-10.0.0_r34
CVE-2019-2219 Medium 4.7 detected in multiple dependencies Direct android-9.0.0_r51;android-10.0.0_r17
CVE-2021-0443 Medium 4.7 baseandroid-10.0.0_r34 Direct android-11.0.0_r34
CVE-2022-20465 Medium 4.6 detected in multiple dependencies Direct android-13.0.0_r12
CVE-2022-20497 Medium 4.6 baseandroid-10.0.0_r34 Direct android-13.0.0_r7
CVE-2022-20449 Medium 4.4 baseandroid-10.0.0_r34 Direct android-13.0.0_r16
CVE-2020-0135 Medium 4.4 baseandroid-10.0.0_r34 Direct android-10.0.0_r37
CVE-2022-20226 Low 3.9 detected in multiple dependencies Direct android-12.1.0_r7
CVE-2019-9377 Low 3.3 baseandroid-10.0.0_r34 Direct android-10.0.0_r30
CVE-2022-20338 Low 3.3 baseandroid-10.0.0_r34 Direct android-13.0.0_r1
CVE-2022-20446 Low 3.3 detected in multiple dependencies Direct N/A
CVE-2022-20358 Low 3.3 baseandroid-10.0.0_r34 Direct N/A
CVE-2020-0412 Low 3.3 baseandroid-10.0.0_r34 Direct N/A
CVE-2022-20543 Low 2.3 detected in multiple dependencies Direct android-13.0.0_r16

Details

Partial details (7 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2021-0433 ### Vulnerable Library - baseandroid-10.0.0_r34

Android framework classes and services

Library home page: https://android.googlesource.com/platform/frameworks/base

Found in HEAD commit: 0e5e86d7401323e80c8f9d7a515167bf5d66b6a8

Found in base branch: main

### Vulnerable Source Files (1)

/packages/CompanionDeviceManager/src/com/android/companiondevicemanager/DeviceChooserActivity.java

### Vulnerability Details

In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171221090

Publish Date: 2021-04-13

URL: CVE-2021-0433

### CVSS 3 Score Details (8.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2021-04-01

Release Date: 2022-02-13

Fix Resolution: android-11.0.0_r34

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-0705 ### Vulnerable Libraries - baseandroid-10.0.0_r34, baseandroid-10.0.0_r34

### Vulnerability Details

In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-185388103

Publish Date: 2021-10-22

URL: CVE-2021-0705

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2021-10-01

Release Date: 2021-10-22

Fix Resolution: android-11.0.0_r43

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-0708 ### Vulnerable Library - baseandroid-10.0.0_r34

Android framework classes and services

Library home page: https://android.googlesource.com/platform/frameworks/base

Found in HEAD commit: 0e5e86d7401323e80c8f9d7a515167bf5d66b6a8

Found in base branch: main

### Vulnerable Source Files (1)

/services/core/java/com/android/server/am/ActivityManagerShellCommand.java

### Vulnerability Details

In runDumpHeap of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-183262161

Publish Date: 2021-10-22

URL: CVE-2021-0708

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2021-10-01

Release Date: 2021-10-22

Fix Resolution: android-11.0.0_r43

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-20950 ### Vulnerable Libraries - baseandroid-10.0.0_r34, baseandroid-10.0.0_r34, baseandroid-10.0.0_r34, baseandroid-10.0.0_r34, baseandroid-10.0.0_r34, baseandroid-10.0.0_r34

### Vulnerability Details

In AlarmManagerActivity of AlarmManagerActivity.java, there is a possible way to bypass background activity launch restrictions via a pendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-195756028

Publish Date: 2023-04-19

URL: CVE-2023-20950

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://android.googlesource.com/platform/frameworks/base/+/e9f458c52e9c2c1d7591e279b48d2136244b4c8b

Release Date: 2023-04-19

Fix Resolution: android-13.0.0_r1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-0417 ### Vulnerable Library - baseandroid-10.0.0_r34

Android framework classes and services

Library home page: https://android.googlesource.com/platform/frameworks/base

Found in HEAD commit: 0e5e86d7401323e80c8f9d7a515167bf5d66b6a8

Found in base branch: main

### Vulnerable Source Files (1)

/location/java/com/android/internal/location/GpsNetInitiatedHandler.java

### Vulnerability Details

In setNiNotification of GpsNetInitiatedHandler.java, there is a possible permissions bypass due to an empty mutable PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-154319182

Publish Date: 2021-07-14

URL: CVE-2020-0417

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2021-07-01

Release Date: 2020-07-21

Fix Resolution: android-10.0.0_r46

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-21097 ### Vulnerable Library - baseandroid-10.0.0_r34

Android framework classes and services

Library home page: https://android.googlesource.com/platform/frameworks/base

Found in HEAD commit: 0e5e86d7401323e80c8f9d7a515167bf5d66b6a8

Found in base branch: main

### Vulnerable Source Files (1)

/core/java/android/content/Intent.java

### Vulnerability Details

In toUriInner of Intent.java, there is a possible way to launch an arbitrary activity due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261858325

Publish Date: 2023-04-19

URL: CVE-2023-21097

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://android.googlesource.com/platform/frameworks/base/+/37e9ac249bc712eb240a7224ebe09d24de5fb190

Release Date: 2023-04-19

Fix Resolution: android-13.0.0_r38

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-0391 ### Vulnerable Libraries - baseandroid-10.0.0_r34, baseandroid-10.0.0_r34, baseandroid-10.0.0_r34

### Vulnerability Details

In onCreate() of ChooseTypeAndAccountActivity.java, there is a possible way to learn the existence of an account, without permissions, due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172841550

Publish Date: 2021-03-10

URL: CVE-2021-0391

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://source.android.com/security/bulletin/2021-03-01

Release Date: 2021-03-10

Fix Resolution: android-11.0.0_r32

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.