Android RemoteViews URI Confused Deputy Image Leak
CVE-2023-21238 Published on July 13, 2023
In visitUris of RemoteViews.java, there is a possible leak of images between users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Weakness Type
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Products Associated with CVE-2023-21238
Want to know whenever a new CVE is published for Google Android? stack.watch will email you.
Affected Versions
Google Android:- Version 13 is affected.
- Version 12L is affected.
- Version 12 is affected.
- Version 11 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.