CVE-2023-21290
https://notcve.org/view.php?id=CVE-2023-21290
In update of MmsProvider.java, there is a possible way to bypass file permission checks due to a race condition. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. • https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/ca4c9a19635119d95900793e7a41b820cd1d94d9 https://source.android.com/security/bulletin/2023-08-01 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2023-21289
https://notcve.org/view.php?id=CVE-2023-21289
In multiple locations, there is a possible bypass of a multi user security boundary due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. • https://android.googlesource.com/platform/frameworks/base/+/7a5e51c918b7097be3c7e669e1825a4d159c4185 https://source.android.com/security/bulletin/2023-08-01 •
CVE-2023-21288
https://notcve.org/view.php?id=CVE-2023-21288
In visitUris of Notification.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. • https://android.googlesource.com/platform/frameworks/base/+/726247f4f53e8cc0746175265652fa415a123c0c https://source.android.com/security/bulletin/2023-08-01 • CWE-862: Missing Authorization •
CVE-2023-21287
https://notcve.org/view.php?id=CVE-2023-21287
In multiple locations, there is a possible code execution due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. • https://android.googlesource.com/platform/external/freetype/+/a79e80a25874dacaa266906a9048f13d4bac41c6 https://source.android.com/security/bulletin/2023-08-01 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2023-21286
https://notcve.org/view.php?id=CVE-2023-21286
In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. • https://android.googlesource.com/platform/frameworks/base/+/a65429742caf05205ea7f1c2fdd1119ca652b810 https://source.android.com/security/bulletin/2023-08-01 •