7.3

CVE-2024-43093

Warnung
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to  incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleAndroid Version12.0
GoogleAndroid Version12.1
GoogleAndroid Version13.0
GoogleAndroid Version14.0
GoogleAndroid Version15.0

07.11.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Android Framework Privilege Escalation Vulnerability

Schwachstelle

Android Framework contains an unspecified vulnerability that allows for privilege escalation.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.71% 0.49
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.3 1.3 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.3 1.3 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-176 Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

https://source.android.com/security/bulletin/2025-03-01
Vendor Advisory
https://android.googlesource.com/platform/frameworks/base/+/7f83c671626f9bf993581f4598c22482d87cba10
Patch
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-43093
Third Party Advisory
US Government Resource