CVE-2023-35674

Warnung

EPSS 0.09%
Veröffentlicht 11.09.2023 21:15:42
Zuletzt bearbeitet 23.10.2025 14:52:35
Quelle security@android.com
CVE-Watchlists
Login
Unerledigt
Login

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Android Version11.0

Google ≫ Android Version12.0

Google ≫ Android Version12.1

Google ≫ Android Version13.0

13.09.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Android Framework Privilege Escalation Vulnerability

Schwachstelle

Android Framework contains an unspecified vulnerability that allows for privilege escalation.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.256

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2	6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://source.android.com/security/bulletin/2023-09-01

Patch

Vendor Advisory

https://android.googlesource.com/platform/frameworks/base/+/7428962d3b064ce1122809d87af65099d1129c9e

Patch

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-35674

Third Party Advisory

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2023-35674

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-35674

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-35674

EUVD