CVE-2023-21237 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Android Pixel Information Disclosure Vulnerability

Exploit added

March 5, 2024

Action due

March 26, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

In applyRemoteView of NotificationContentInflater.java, there is a possible way to hide foreground service notification due to misleading or insufficient UI. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-251586912

References

https://source.android.com/security/bulletin/pixel/2023-06-01

Weakness Enumeration

CWE-ID	CWE Name
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor

Known Affected Software Configurations

cpe:2.3:o:google:android:13.0:-::::::
cpe:2.3:o:google:android:13.0:::::::*

Details

Source:
NVD

Published:
June 28, 2023

Updated:
July 8, 2024

Risk information

CVSS v3

Base score:
5.5

Severity:

MEDIUM

Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2

Not defined