CVE-2024-0015

Published: Feb 16, 2024Modified: Mar 14, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In convertToComponentName of DreamService.java, there is a possible way to launch arbitrary protected activities due to intent redirection. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

Affected (4)

Products: Google: Android

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 11.0
Google Android	Version 12.0
Google Android	Version 12.1
Google Android	Version 13.0

Related CWEs

Improper Handling of Insufficient Permissions or Privileges

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

References (4)

https://android.googlesource.com/platform/frameworks/base/+/2ce1b7fd37273ea19fbbb6daeeaa6212357b9a70

Source: security@android.com

Mailing ListPatch

https://source.android.com/security/bulletin/2024-01-01

Source: security@android.com

PatchVendor Advisory

https://android.googlesource.com/platform/frameworks/base/+/2ce1b7fd37273ea19fbbb6daeeaa6212357b9a70

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatch

https://source.android.com/security/bulletin/2024-01-01

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.