{"id":"ASB-A-221040577", "published":"2023-03-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2023-20906", "A-221040577"], "details":"In onPackageAddedInternal of PermissionManagerService.java, there is a possible way to silently grant a permission after a Target SDK update due to a permissions bypass. This could lead to local escalation of privilege after updating an app to a higher Target SDK with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13-next:0"}, {"fixed":"13-next:2023-03-01"}]}], "versions":["13-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e6efe583f98644440f675bb2cc5a75d665ca31c9"], "severity":"High", "spl":"2023-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["332912690824931462244194323491242883782", "259989983721407450859979620886065752986", "38869589564361465266772387587708486935", "55540827721963568973809242028415986211", "336942483118682634612537402811980972292", "240623499310114656397924907302367732384", "49116731288914950667429861431582766175"], "threshold":0.9}, "id":"ASB-A-221040577-3f6453eb", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e6efe583f98644440f675bb2cc5a75d665ca31c9", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java"}}, {"deprecated":false, "digest":{"function_hash":"254934654226332861981312680198584974655", "length":1171}, "id":"ASB-A-221040577-d706e222", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e6efe583f98644440f675bb2cc5a75d665ca31c9", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java", "function":"onPackageAddedInternal"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2023-03-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f30a63b11e59f9daf42f51eb85aa91c86f4baf4", "https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a"], "severity":"High", "spl":"2023-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["63617228123231389157678444016981042758", "307817833435620765044176194408880760069", "145625110771803479936844521300901125064", "95493312720080284709043055752853624397", "243996333839111971992555695183695671801", "334509522104777894484931643752337482002", "138150838695361478392070281702230292223", "278604607850135422571958282041771463121", "22656488853290935534549218894676931759", "25290995885617357257344267291092550861", "100417968865404874609375927335168003552"], "threshold":0.9}, "id":"ASB-A-221040577-2031bccb", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java"}}, {"deprecated":false, "digest":{"line_hashes":["30553861861542596536484849737338142538", "64422473440631326362935125530765734808", "66617370866194042534636165393138419215", "253486867763259364198838821018249159346", "234427732332460419683280325131817786104", "170751048600913403647270996771904538081", "315552169768819034331054160079121776308", "19079637256359424495946882261832414760", "58624928594643985245701146764633234660", "60342793402009383795077237736412838416", "260836991285810948609356616388936811191", "103647162603698848244913627223363131578", "80879277292638886615080913027510501208", "40119369577325674107995636609886042298", "195666147893739222628403882447240346435", "303660049123680962705019011860582343065", "148437318290529669344121565119150032859", "86349647666249459856572696221300111365"], "threshold":0.9}, "id":"ASB-A-221040577-46984a93", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"}}, {"deprecated":false, "digest":{"line_hashes":["211944118180056668024505643965069121348", "101383814151195122333233703118074256060", "100153087899313758591344044118174399317", "8623634095673080074026369860095805136", "200222505482104338504794180945021285318", "191042270520810155457571782397370298001"], "threshold":0.9}, "id":"ASB-A-221040577-6769a809", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"186704004956831636458598013952277793202", "length":5056}, "id":"ASB-A-221040577-a4636b68", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"commitPackageSettings"}}, {"deprecated":false, "digest":{"function_hash":"176798206311331559845208305831929425920", "length":192}, "id":"ASB-A-221040577-ff06d8d4", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function":"revokeRuntimePermissionsIfGroupChanged"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2023-03-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/5e80fcf8c423f288a87d727f48ae38112177d716"], "severity":"High", "spl":"2023-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["332912690824931462244194323491242883782", "259989983721407450859979620886065752986", "38869589564361465266772387587708486935", "55540827721963568973809242028415986211", "336942483118682634612537402811980972292", "240623499310114656397924907302367732384", "49116731288914950667429861431582766175"], "threshold":0.9}, "id":"ASB-A-221040577-94290be3", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/5e80fcf8c423f288a87d727f48ae38112177d716", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"254934654226332861981312680198584974655", "length":1171}, "id":"ASB-A-221040577-c64d9b5c", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/5e80fcf8c423f288a87d727f48ae38112177d716", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function":"onPackageAddedInternal"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2023-03-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/2509b12e6fc921c855e16471a8b6648535626f1d"], "severity":"High", "spl":"2023-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["332912690824931462244194323491242883782", "259989983721407450859979620886065752986", "38869589564361465266772387587708486935", "55540827721963568973809242028415986211", "336942483118682634612537402811980972292", "240623499310114656397924907302367732384", "49116731288914950667429861431582766175"], "threshold":0.9}, "id":"ASB-A-221040577-883a94cf", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/2509b12e6fc921c855e16471a8b6648535626f1d", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"254934654226332861981312680198584974655", "length":1171}, "id":"ASB-A-221040577-db99635e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/2509b12e6fc921c855e16471a8b6648535626f1d", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java", "function":"onPackageAddedInternal"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2023-03-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/fba194b998cf22d073a36cb5c6f9397c2dc1a50e"], "severity":"High", "spl":"2023-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"254934654226332861981312680198584974655", "length":1171}, "id":"ASB-A-221040577-249277d7", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/fba194b998cf22d073a36cb5c6f9397c2dc1a50e", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java", "function":"onPackageAddedInternal"}}, {"deprecated":false, "digest":{"line_hashes":["332912690824931462244194323491242883782", "259989983721407450859979620886065752986", "38869589564361465266772387587708486935", "55540827721963568973809242028415986211", "336942483118682634612537402811980972292", "240623499310114656397924907302367732384", "49116731288914950667429861431582766175"], "threshold":0.9}, "id":"ASB-A-221040577-fd402e7c", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/fba194b998cf22d073a36cb5c6f9397c2dc1a50e", "target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2023-03-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/5e80fcf8c423f288a87d727f48ae38112177d716"}]}