CVE-2023-40117

Published: Oct 27, 2023Modified: Apr 29, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In resetSettingsLocked of SettingsProvider.java, there is a possible lockscreen bypass due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected (4)

Products: Google: Android

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 11.0
Google Android	Version 12.0
Google Android	Version 12.1
Google Android	Version 13.0

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (6)

https://android.googlesource.com/platform/frameworks/base/+/ff86ff28cf82124f8e65833a2dd8c319aea08945

Source: security@android.com

Patch

https://android.googlesource.com/platform/packages/apps/Settings/+/11815817de2f2d70fe842b108356a1bc75d44ffb

Source: security@android.com

Patch

https://source.android.com/security/bulletin/2023-10-01

Source: security@android.com

PatchVendor Advisory

https://android.googlesource.com/platform/frameworks/base/+/ff86ff28cf82124f8e65833a2dd8c319aea08945

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://android.googlesource.com/platform/packages/apps/Settings/+/11815817de2f2d70fe842b108356a1bc75d44ffb

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://source.android.com/security/bulletin/2023-10-01

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.