{"id":"ASB-A-246301995", "published":"2023-01-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2023-20912", "A-246301995"], "details":"In onActivityResult of AvatarPickerActivity.java, there is a possible way to access images belonging to other users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/packages/providers/MediaProvider", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2023-01-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/db654251f2754d1a4778111eace8086bc8b44959"], "severity":"High", "spl":"2023-01-01", "types":["EoP"]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2023-01-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/f43df6ae00abc070b459f861f40eca736f73d381"}]}