Request a Demo
Rewterz
Rewterz Threat Advisory – CVE-2023-37988 – WordPress Contact Form Generator Plugin Vulnerability
August 16, 2023
Rewterz
Rewterz Threat Advisory – CVE-2023-33013 – Zyxel NBG6604 Devices Vulnerability
August 16, 2023

Rewterz Threat Advisory – Multiple Google Android Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2023-21132 CVSS:6.4

Google Android could allow a physically proximate attacker to gain elevated privileges on the system, caused by a missing permission check in onCreate of ManagePermissionsActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges. Note: device must have been factory reset.

CVE-2023-21133 CVSS:6.4

Google Android could allow a physically proximate attacker to gain elevated privileges on the system, caused by a missing permission check in onCreate of ManagePermissionsActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges. Note: device must have been factory reset.

CVE-2023-21134 CVSS:6.4

Google Android could allow a physically proximate attacker to gain elevated privileges on the system, caused by a missing permission check in onCreate of ManagePermissionsActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges. Note: device must have been factory reset.

CVE-2023-21140 CVSS:6.4

Google Android could allow a physically proximate attacker to gain elevated privileges on the system, caused by a missing permission check in onCreate of ManagePermissionsActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges. Note: device must have been factory reset.

CVE-2023-21229 CVSS:8.4

Google Android could allow a local attacker to gain elevated privileges on the system, caused by an unsafe PendingIntent in registerServiceLocked of ManagedServices.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.

CVE-2023-21230 CVSS:6.2

Google Android could allow a local attacker to obtain sensitive information, caused by a precondition check failure in onAccessPointChanged of AccessPointPreference.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21231 CVSS:8.4

Google Android could allow a local attacker to gain elevated privileges on the system, caused by a missing permission check in getIntentForButton of ButtonManager.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.

CVE-2023-21269 CVSS:8.4

Google Android could allow a local attacker to gain elevated privileges on the system, caused by a BAL bypass flaw in startActivityInner of ActivityStarter.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.

CVE-2023-21271 CVSS:6.2

Google Android could allow a local attacker to obtain sensitive information, caused by an out of bounds read in parseInputs of ShimPreparedModel.cpp. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21272 CVSS:8.4

Google Android could allow a local attacker to gain elevated privileges on the system, caused by a bad URI permission grant in readFrom of Uri.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.

CVE-2023-21273 CVSS:9.8

Google Android could allow a remote attacker to execute arbitrary code on the system, caused by an out of bounds write in SDP_AddAttribute of sdp_db.cc. By executing a specially crafted application, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-21274 CVSS:6.2

Google Android could allow a local attacker to obtain sensitive information, caused by an out of bounds read in convertSubgraphFromHAL of ShimConverter.cpp. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21275 CVSS:8.4

Google Android could allow a local attacker to gain elevated privileges on the system, caused by a logic error in the code in decideCancelProvisioningDialog of AdminIntegratedFlowPrepareActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.

CVE-2023-21276 CVSS:6.2

Google Android could allow a local attacker to obtain sensitive information, caused by the use of uninitialized data in writeToParcel of CursorWindow.cpp. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21277 CVSS:5.5

Google Android could allow a local authenticated attacker to obtain sensitive information, caused by a missing permission check in visitUris of RemoteViews.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21278 CVSS:8.4

Google Android could allow a local attacker to gain elevated privileges on the system, caused by a logic error in the code in multiple locations. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.

CVE-2023-21279 CVSS:6.2

Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in visitUris of RemoteViews.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21282 CVSS:8.8

Google Android could allow a remote attacker to execute arbitrary code on the system, caused by an incorrect bounds check in TRANSPOSER_SETTINGS of lpp_tran.h. By persuading a victim to execute a specially crafted application, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-21283 CVSS:5.5

Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in multiple functions of StatusHints.java. By persuading a victim to execute a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21284 CVSS:5.5

Google Android is vulnerable to a denial of service, caused by improper input validation in multiple functions of DevicePolicyManager.java. By executing a specially crafted application, a local authenticated attacker could exploit this vulnerability to cause a denial of service.

CVE-2023-21285 CVSS:6.2

Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in setMetadata of MediaSessionRecord.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21286 CVSS:8.4

Google Android could allow a local attacker to gain elevated privileges on the system, caused by a missing permission check in visitUris of RemoteViews.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.

CVE-2023-21288 CVSS:5.5

Google Android could allow a local authenticated attacker to obtain sensitive information, caused by a missing permission check in visitUris of Notification.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21289 CVSS:6.2

Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in multiple locations. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-21290 CVSS:6.2

Google Android is vulnerable to a denial of service, caused by a race condition in update of MmsProvider.java. By executing a specially crafted application, a local attacker could exploit this vulnerability to cause a denial of service.

CVE-2023-21292 CVSS:6.2

Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in openContentUri of ActivityManagerService.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

Impact

  • Information Disclosure
  • Code Execution
  • Privilege Escalation
  • Denial of Service

Indicators Of Compromise

CVE

  • CVE-2023-21132
  • CVE-2023-21133
  • CVE-2023-21134
  • CVE-2023-21140
  • CVE-2023-21229
  • CVE-2023-21230
  • CVE-2023-21231
  • CVE-2023-21269
  • CVE-2023-21271
  • CVE-2023-21272
  • CVE-2023-21273
  • CVE-2023-21274
  • CVE-2023-21275
  • CVE-2023-21276
  • CVE-2023-21277
  • CVE-2023-21278
  • CVE-2023-21279
  • CVE-2023-21282
  • CVE-2023-21283
  • CVE-2023-21284
  • CVE-2023-21285
  • CVE-2023-21286
  • CVE-2023-21288
  • CVE-2023-21289
  • CVE-2023-21290
  • CVE-2023-21292

Affected Vendors

Google

Affected Products

  • Google Android.

Remediation

Refer to Android Open Source Project for patch, upgrade or suggested workaround information.

Android Open Source Project