CVSS: 6.2EPSS: 3%CPEs: 1EXPL: 0CVE-2023-21237 – Android Pixel Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-21237
In applyRemoteView of NotificationContentInflater.java, there is a possible way to hide foreground service notification due to misleading or insufficient UI. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-251586912 Android Pixel contains a vulnerability in the Framework component, where the UI may be misleading or insufficient, providing a means to hide a foreground service notification. This could enable a local attacker to disclose sensitive information. • https://source.android.com/security/bulletin/pixel/2023-06-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-21188
https://notcve.org/view.php?id=CVE-2023-21188
In btm_ble_update_inq_result of btm_ble_gap.cc, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-264624283 • https://source.android.com/security/bulletin/pixel/2023-06-01 • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-21187
https://notcve.org/view.php?id=CVE-2023-21187
In onCreate of UsbAccessoryUriActivity.java, there is a possible way to escape the Setup Wizard due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-246542917 • https://source.android.com/security/bulletin/pixel/2023-06-01 •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-21192
https://notcve.org/view.php?id=CVE-2023-21192
In setInputMethodWithSubtypeIdLocked of InputMethodManagerService.java, there is a possible way to setup input methods that are not enabled due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227207653 • https://source.android.com/security/bulletin/pixel/2023-06-01 • CWE-20: Improper Input Validation •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-21206
https://notcve.org/view.php?id=CVE-2023-21206
In initiateVenueUrlAnqpQueryInternal of sta_iface.cpp, there is a possible out of bounds read due to unsafe deserialization. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-262245630 • https://source.android.com/security/bulletin/pixel/2023-06-01 • CWE-502: Deserialization of Untrusted Data •