Android DeviceVersionFragment Exploits insecure adb access for local privilege escalation
CVE-2023-48418 Published on January 2, 2024
User Build misconfiguration resulting in local escalation of privilege
In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a
possible way to access adb before SUW completion due to an insecure default
value. This could lead to local escalation of privilege with no additional
execution privileges needed. User interaction is not needed for
exploitation
Vulnerability Analysis
CVE-2023-48418 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2023-48418
stack.watch emails you whenever new vulnerabilities are published in Google Pixel Watch Firmware or Google Android. Just hit a watch button to start following.
Affected Versions
Google Pixel Watch Version 11 is affected by CVE-2023-48418Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.