{"id":"ASB-A-174046397","details":"In onCreate of CalendarDebugActivity.java, there is a possible way to export calendar data to the sdcard without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-174046397","CVE-2021-0487"],"modified":"2026-06-11T14:59:52.052110020Z","published":"2021-05-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2021-05-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/providers/CalendarProvider/+/8cddb2643dd823721ba5c897a089d06c56b50a60"}],"affected":[{"package":{"name":"platform/packages/providers/CalendarProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2021-05-01"}]}],"versions":["11"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/providers/CalendarProvider/+/11fe2048a5aa5d3d3db315194921130bf2407919"],"vanir_signatures":[{"digest":{"line_hashes":["60518912781230707920037808092477919804","119739717399118429099288361389180461437","322385714673689406118538491383202140376"],"threshold":0.9},"deprecated":false,"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/CalendarProvider/+/11fe2048a5aa5d3d3db315194921130bf2407919","target":{"file":"src/com/android/providers/calendar/CalendarDebugActivity.java"},"signature_version":"v1","id":"ASB-A-174046397-ecaf0a28"}],"types":["EoP"],"severity":"High","spl":"2021-05-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-174046397.json"}}],"schema_version":"1.7.5"}