{"id":"ASB-A-243378132", "published":"2023-01-01T00:00:00Z", "modified":"2026-04-30T15:48:46.890647439Z", "aliases":["CVE-2023-20921", "A-243378132"], "details":"In onPackageRemoved of AccessibilityManagerService.java, there is a possibility to automatically grant accessibility services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"10:0"}, {"fixed":"10:2023-01-01"}]}], "versions":["10"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/37966299859153377e61a6a97b036388d231c2d0"], "severity":"High", "spl":"2023-01-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["236631357762625178675023541390441752221", "10595195653811829102514404699409020643", "118646039670723451812982949215475581031", "308106080403074465601407965368341122746", "257531265060042935403164492950648892981", "29846843808137443483246000717080862150", "166691140886119245516343242551824859128", "301596378629914302364551311646528725673", "143018679850793703375987037922897840918", "291707394074430904116119120004350413287", "122714709178344749347158447730012232573", "304452781087085710561676062515564431274", "26484132709224229574958746359851073956", "207719386867169009892832194776872560967", "186460278978359319341555873407909587196", "318161903193323979827882538396094327559", "335742583378191237584529136782329445411", "182076733878820234577063963982364458997", "188634755782281652840004754257306185162", "293949540968280903538352693917672011553", "108587633537507210242609878158511307392", "295747577431459138783214723720080232905"], "threshold":0.9}, "id":"ASB-A-243378132-31cc3c7c", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/37966299859153377e61a6a97b036388d231c2d0", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"41468928610322268501338051732645977169", "length":749}, "id":"ASB-A-243378132-c0ae94d4", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/37966299859153377e61a6a97b036388d231c2d0", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"onPackageRemoved"}}, {"deprecated":false, "digest":{"function_hash":"330331932412139811646432065080055047", "length":4324}, "id":"ASB-A-243378132-d687118d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/37966299859153377e61a6a97b036388d231c2d0", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"registerBroadcastReceivers"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2023-01-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"], "severity":"High", "spl":"2023-01-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"122592281931139715014269638805728949640", "length":917}, "id":"ASB-A-243378132-5a689cbf", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"onPackageRemoved"}}, {"deprecated":false, "digest":{"function_hash":"213937848733813786983288430467818877027", "length":5358}, "id":"ASB-A-243378132-cca3e3a2", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"registerBroadcastReceivers"}}, {"deprecated":false, "digest":{"line_hashes":["120544117324700545087338990654297186575", "298300173742793367670243473200708659368", "75028889963202810443403858792404514626", "1814652559885654915609354500658874335", "18432821694174943006265164083414281214", "293554040932675007454802700746005267112", "22732033932196370463803681708292818366", "225326834748319365348113367094016570252", "297015841027970518372091856753329288334", "122714709178344749347158447730012232573", "304452781087085710561676062515564431274", "26484132709224229574958746359851073956", "207719386867169009892832194776872560967", "186460278978359319341555873407909587196", "318161903193323979827882538396094327559", "335742583378191237584529136782329445411", "182076733878820234577063963982364458997", "188634755782281652840004754257306185162", "293949540968280903538352693917672011553", "108587633537507210242609878158511307392", "295747577431459138783214723720080232905"], "threshold":0.9}, "id":"ASB-A-243378132-d6839dd7", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2023-01-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"], "severity":"High", "spl":"2023-01-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["120544117324700545087338990654297186575", "298300173742793367670243473200708659368", "75028889963202810443403858792404514626", "1814652559885654915609354500658874335", "18432821694174943006265164083414281214", "293554040932675007454802700746005267112", "22732033932196370463803681708292818366", "225326834748319365348113367094016570252", "297015841027970518372091856753329288334", "122714709178344749347158447730012232573", "304452781087085710561676062515564431274", "26484132709224229574958746359851073956", "207719386867169009892832194776872560967", "186460278978359319341555873407909587196", "318161903193323979827882538396094327559", "335742583378191237584529136782329445411", "182076733878820234577063963982364458997", "188634755782281652840004754257306185162", "293949540968280903538352693917672011553", "108587633537507210242609878158511307392", "295747577431459138783214723720080232905"], "threshold":0.9}, "id":"ASB-A-243378132-2c99561c", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"213937848733813786983288430467818877027", "length":5358}, "id":"ASB-A-243378132-c30fe324", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"registerBroadcastReceivers"}}, {"deprecated":false, "digest":{"function_hash":"122592281931139715014269638805728949640", "length":917}, "id":"ASB-A-243378132-ec319c69", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"onPackageRemoved"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2023-01-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"], "severity":"High", "spl":"2023-01-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"213937848733813786983288430467818877027", "length":5358}, "id":"ASB-A-243378132-0ae27b2c", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"registerBroadcastReceivers"}}, {"deprecated":false, "digest":{"function_hash":"122592281931139715014269638805728949640", "length":917}, "id":"ASB-A-243378132-e5a9802f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"onPackageRemoved"}}, {"deprecated":false, "digest":{"line_hashes":["120544117324700545087338990654297186575", "298300173742793367670243473200708659368", "75028889963202810443403858792404514626", "1814652559885654915609354500658874335", "18432821694174943006265164083414281214", "293554040932675007454802700746005267112", "22732033932196370463803681708292818366", "225326834748319365348113367094016570252", "297015841027970518372091856753329288334", "122714709178344749347158447730012232573", "304452781087085710561676062515564431274", "26484132709224229574958746359851073956", "207719386867169009892832194776872560967", "186460278978359319341555873407909587196", "318161903193323979827882538396094327559", "335742583378191237584529136782329445411", "182076733878820234577063963982364458997", "188634755782281652840004754257306185162", "293949540968280903538352693917672011553", "108587633537507210242609878158511307392", "295747577431459138783214723720080232905"], "threshold":0.9}, "id":"ASB-A-243378132-e79bcdfb", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2023-01-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"], "severity":"High", "spl":"2023-01-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["120544117324700545087338990654297186575", "298300173742793367670243473200708659368", "75028889963202810443403858792404514626", "1814652559885654915609354500658874335", "18432821694174943006265164083414281214", "293554040932675007454802700746005267112", "22732033932196370463803681708292818366", "225326834748319365348113367094016570252", "297015841027970518372091856753329288334", "122714709178344749347158447730012232573", "304452781087085710561676062515564431274", "26484132709224229574958746359851073956", "207719386867169009892832194776872560967", "186460278978359319341555873407909587196", "318161903193323979827882538396094327559", "335742583378191237584529136782329445411", "182076733878820234577063963982364458997", "188634755782281652840004754257306185162", "293949540968280903538352693917672011553", "108587633537507210242609878158511307392", "295747577431459138783214723720080232905"], "threshold":0.9}, "id":"ASB-A-243378132-06c4a3e8", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"213937848733813786983288430467818877027", "length":5358}, "id":"ASB-A-243378132-ebe202a0", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"registerBroadcastReceivers"}}, {"deprecated":false, "digest":{"function_hash":"122592281931139715014269638805728949640", "length":917}, "id":"ASB-A-243378132-ec23a969", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763", "target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function":"onPackageRemoved"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2023-01-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/7cad088a533f967d94c8d436b609e4ed2b184897"}]}