CVE-2023-40120

In multiple locations, there is a possible way to bypass user notification of foreground services due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://android.googlesource.com/platform/frameworks/base/+/d26544e5a4fd554b790b4d0c5964d9e95d9e626b	Patch
https://source.android.com/security/bulletin/2023-10-01	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:google:android:11.0:::::::*
	cpe:2.3:o:google:android:12.0:::::::*
	cpe:2.3:o:google:android:12.1:::::::*
	cpe:2.3:o:google:android:13.0:::::::*

History

No history.

Information

Published : 2023-10-27 21:15

Updated : 2023-10-30 17:13

NVD link : CVE-2023-40120

Mitre link : CVE-2023-40120

CVE.ORG link : CVE-2023-40120

JSON object : View

Products Affected

google

android

CWE

NVD-CWE-noinfo

{"id": "CVE-2023-40120", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2023-10-27T21:15:08.667", "references": [{"url": "https://android.googlesource.com/platform/frameworks/base/+/d26544e5a4fd554b790b4d0c5964d9e95d9e626b", "tags": ["Patch"], "source": "security@android.com"}, {"url": "https://source.android.com/security/bulletin/2023-10-01", "tags": ["Patch", "Vendor Advisory"], "source": "security@android.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In multiple locations, there is a possible way to bypass user notification of foreground services due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}, {"lang": "es", "value": "En varias ubicaciones, existe una forma posible de omitir la notificaci\u00f3n al usuario de los servicios en primer plano debido a una validaci\u00f3n de entrada incorrecta. Esto podr\u00eda conducir a una escalada local de privilegios sin necesidad de permisos de ejecuci\u00f3n adicionales. La interacci\u00f3n del usuario no es necesaria para la explotaci\u00f3n."}], "lastModified": "2023-10-30T17:13:13.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "109DD7FD-3A48-4C3D-8E1A-4433B98E1E64"}, {"criteria": "cpe:2.3:o:google:android:12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8FB8EE9-FC56-4D5E-AE55-A5967634740C"}, {"criteria": "cpe:2.3:o:google:android:12.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C64C1583-CDE0-4C1F-BDE6-05643C1BDD72"}, {"criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}], "operator": "OR"}]}], "sourceIdentifier": "security@android.com"}