CVE-2023-40076 : In createPendingIntent of CredentialManagerUi.java, there is a possible way to a

In createPendingIntent of CredentialManagerUi.java, there is a possible way to access credentials from other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Published 2023-12-04 23:15:24

Updated 2024-02-02 16:29:29

Source Android (associated with Google Inc. or Open Handset Alliance)

View at NVD, CVE.org

Products affected by CVE-2023-40076

Google » Android » Version: 14.0
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-40076

EPSS FAQ

0.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 1 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-40076

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

References for CVE-2023-40076

https://source.android.com/security/bulletin/2023-12-01

Android Security Bulletin—December 2023 | Android Open Source Project
Patch;Vendor Advisory

CVEs referencing this url
https://android.googlesource.com/platform/frameworks/base/+/9b68987df85b681f9362a3cadca6496796d23bbc

9b68987df85b681f9362a3cadca6496796d23bbc - platform/frameworks/base - Git at Google
Mailing List;Patch

Jump to

Vulnerability Details : CVE-2023-40076

Products affected by CVE-2023-40076

Exploit prediction scoring system (EPSS) score for CVE-2023-40076

CVSS scores for CVE-2023-40076

References for CVE-2023-40076