CVE-2024-34741

In setForceHideNonSystemOverlayWindowIfNeeded of WindowState.java, there is a possible way for message content to be visible on the screensaver while lock screen visibility settings are restricted by the user due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://android.googlesource.com/platform/frameworks/base/+/abfaf702ef833dc4d374492d45c615c6e6de7f01
https://source.android.com/security/bulletin/2024-08-01

Configurations

No configuration.

History

16 Aug 2024, 16:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
Summary		(es) En setForceHideNonSystemOverlayWindowIfNeeded de WindowState.java, existe una forma posible de que el contenido del mensaje sea visible en el protector de pantalla mientras el usuario restringe la configuración de visibilidad de la pantalla de bloqueo debido a un error lógico en el código. Esto podría conducir a una escalada local de privilegios sin necesidad de privilegios de ejecución adicionales. La interacción del usuario no es necesaria para la explotación.
CWE		CWE-783 CWE-269

15 Aug 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-15 22:15

Updated : 2024-08-19 13:00

NVD link : CVE-2024-34741

Mitre link : CVE-2024-34741

CVE.ORG link : CVE-2024-34741

JSON object : View

Products Affected

No product.

CWE

CWE-269

Improper Privilege Management

CWE-783

Operator Precedence Logic Error

7.8 /10