CVE-2024-23704

Published: May 7, 2024Modified: Dec 17, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In onCreate of WifiDialogActivity.java, there is a possible way to bypass the DISALLOW_ADD_WIFI_CONFIG restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected (2)

Products: Google: Android

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 13.0
Google Android	Version 14.0

Related CWEs

Improper Handling of Insufficient Permissions or Privileges

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://android.googlesource.com/platform/packages/apps/Settings/+/2e90322bab7de1deaf3c82e207bf4404b92743d7

Source: security@android.com

Mailing ListPatch

https://source.android.com/security/bulletin/2024-04-01

Source: security@android.com

PatchVendor Advisory

https://android.googlesource.com/platform/packages/apps/Settings/+/2e90322bab7de1deaf3c82e207bf4404b92743d7

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatch

https://source.android.com/security/bulletin/2024-04-01

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.