Back to KEVs

CVE-2024-43093

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive...

Basic Information

CVE State
PUBLISHED
Reserved Date
August 05, 2024
Published Date
November 13, 2024
Last Updated
November 13, 2024
Vendor
Google
Product
Android
Description
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
Tags
android cisa

CVSS Scores

CVSS v3.1

7.8 - HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2024-11-07 00:00:00 UTC) Source

References

https://android.googlesource.com/platform/frameworks/base/+/67d6e08322019f7ed8e3f80bd6cd16f8bcb809ed https://source.android.com/security/bulletin/2024-11-01

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-11-07 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • Added to KEVIntel

  • CVE Published to Public