{"id":"ASB-A-254736794", "published":"2023-07-01T00:00:00Z", "modified":"2026-04-30T15:48:46.890647439Z", "aliases":["CVE-2023-21254", "A-254736794"], "details":"In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13-next:0"}, {"fixed":"13-next:2023-07-01"}]}], "versions":["13-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7"], "severity":"High", "spl":"2023-07-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"286731377711939635674905074908431232409", "length":230}, "id":"ASB-A-254736794-150db067", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7", "target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java", "function":"getCurrentState"}}, {"deprecated":false, "digest":{"line_hashes":["2012088019728896796373346529697119661", "95794887678244685017967769009345707309", "269473325157219616924923563745773375448", "154820972000404752573118643516014957341", "169098446295692466798229884776274637005", "67219821689456268388489880111183157946", "81611614958380172139615727478591205864", "225201598122517943733666693027874673645", "237205250153135466490122010482236680762", "258373914556850159813516484305773392827", "125910280071661462423652500860628301922", "113538152592414822415748897100386305573", "233144689361163071165913764396211623748", "272268049520737346018390666615642509419", "327200272399841684421769554567479185010", "197512901002234036421909392540332515687", "48230772581453563322002997973370902025", "231488850382554498332132733718306136571", "105095112724300480145608650652271240823", "238399159099680063683957948576794709363", "151419067622790176455733014614730665027", "301034873234891899052665121603635606246", "250514607572004205542612161216221479765", "247503341480896072712975524814651163330"], "threshold":0.9}, "id":"ASB-A-254736794-185febc0", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7", "target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java"}}, {"deprecated":false, "digest":{"function_hash":"66636180706436326696362511061246090529", "length":290}, "id":"ASB-A-254736794-b35f72e7", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7", "target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java", "function":"OneTimePermissionUserManager"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2023-07-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3"], "severity":"High", "spl":"2023-07-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["2012088019728896796373346529697119661", "95794887678244685017967769009345707309", "269473325157219616924923563745773375448", "154820972000404752573118643516014957341", "104213317420452091492353394712202028201", "115008296082753412527057053867333611588", "327946308160344602239660896448104314510", "225201598122517943733666693027874673645", "237205250153135466490122010482236680762", "258373914556850159813516484305773392827", "125910280071661462423652500860628301922", "113538152592414822415748897100386305573", "233144689361163071165913764396211623748", "39614901207402222558656648053840086968", "69252160723633962585538215955562754152", "197512901002234036421909392540332515687", "48230772581453563322002997973370902025", "231488850382554498332132733718306136571", "105095112724300480145608650652271240823", "238399159099680063683957948576794709363", "151419067622790176455733014614730665027", "301034873234891899052665121603635606246", "250514607572004205542612161216221479765", "247503341480896072712975524814651163330"], "threshold":0.9}, "id":"ASB-A-254736794-098c99e5", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3", "target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java"}}, {"deprecated":false, "digest":{"function_hash":"286731377711939635674905074908431232409", "length":230}, "id":"ASB-A-254736794-5294ec01", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3", "target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java", "function":"getCurrentState"}}, {"deprecated":false, "digest":{"function_hash":"189535468120640384763674111584510550352", "length":265}, "id":"ASB-A-254736794-7993dbd8", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3", "target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java", "function":"OneTimePermissionUserManager"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2023-07-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/fa539c85503dc63bfb53c76b6f12b3549f14a709"}]}