google android CVE-2023-20963 is a vulnerability in Google Android
Published on March 24, 2023

In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519

Vendor Advisory NVD

Known Exploited Vulnerability

This Android Framework Privilege Escalation Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed.

The following remediation steps are recommended / required by May 4, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2023-20963 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.


Products Associated with CVE-2023-20963

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-20963 are published in these products:

 

What versions of Android are vulnerable to CVE-2023-20963?