CVE-2023-35671

Published: Sep 11, 2023Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

In onHostEmulationData of HostEmulationManager.java, there is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected (4)

Products: Google: Android

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 11.0
Google Android	Version 12.0
Google Android	Version 12.1
Google Android	Version 13.0

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://android.googlesource.com/platform/packages/apps/Nfc/+/745632835f3d97513a9c2a96e56e1dc06c4e4176

Source: security@android.com

Issue TrackingPatch

https://source.android.com/security/bulletin/2023-09-01

Source: security@android.com

Vendor Advisory

https://android.googlesource.com/platform/packages/apps/Nfc/+/745632835f3d97513a9c2a96e56e1dc06c4e4176

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatch

https://source.android.com/security/bulletin/2023-09-01

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.