CVE-2024-43093 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Android Framework Privilege Escalation Vulnerability

Exploit added

November 7, 2024

Action due

November 28, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

References

Known Affected Software Configurations

cpe:2.3:o:google:android:14.0:::::::*
cpe:2.3:o:google:android:12.0:-::::::
cpe:2.3:o:google:android:13.0:-::::::
cpe:2.3:o:google:android:13.0:::::::*
cpe:2.3:o:google:android:12.0:::::::*

Details

Source:
NVD

Published:
November 13, 2024

Updated:
November 14, 2024

Risk information

CVSS v3

Base score:
7.8

Severity:

HIGH

Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2

Not defined