{"id":"ASB-A-209611539","details":"In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.","aliases":["A-209611539","CVE-2021-39692"],"modified":"2026-04-22T14:59:17.843400Z","published":"2022-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/a07188111567974bc8a2c817825c28169c589535"}],"affected":[{"package":{"name":"platform/packages/apps/ManagedProvisioning","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-03-01"}]}],"versions":["10"],"ecosystem_specific":{"severity":"High","types":["EoP"],"vanir_signatures":[{"target":{"function":"onCreate","file":"src/com/android/managedprovisioning/common/SetupLayoutActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/f0908ba3ccf4b294be011cb3cb3441b34144f06e","signature_type":"Function","deprecated":false,"signature_version":"v1","id":"ASB-A-209611539-2d7408e3","digest":{"length":270,"function_hash":"279812341486862715102499333121300560131"}},{"target":{"file":"src/com/android/managedprovisioning/common/SetupLayoutActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/f0908ba3ccf4b294be011cb3cb3441b34144f06e","signature_type":"Line","deprecated":false,"signature_version":"v1","id":"ASB-A-209611539-739108de","digest":{"threshold":0.9,"line_hashes":["220332388498290215213726294612743642964","335942912665976225110949355242464214081","286508034715687416815902777443473931615","195276513162238704053113346935851779543","53727082822104917753235367368246502408","310872518984056668347119424478769359078"]}}],"spl":"2022-03-01","fixes":["https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/f0908ba3ccf4b294be011cb3cb3441b34144f06e"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209611539.json"}},{"package":{"name":"platform/packages/apps/ManagedProvisioning","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-03-01"}]}],"versions":["11"],"ecosystem_specific":{"severity":"High","types":["EoP"],"vanir_signatures":[{"target":{"function":"onCreate","file":"src/com/android/managedprovisioning/common/SetupLayoutActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/4b04bf81f88385d9a364a6a6ef88e0025fd0f84a","signature_type":"Function","deprecated":false,"signature_version":"v1","id":"ASB-A-209611539-3830400c","digest":{"length":270,"function_hash":"279812341486862715102499333121300560131"}},{"target":{"file":"src/com/android/managedprovisioning/common/SetupLayoutActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/4b04bf81f88385d9a364a6a6ef88e0025fd0f84a","signature_type":"Line","deprecated":false,"signature_version":"v1","id":"ASB-A-209611539-e2979154","digest":{"threshold":0.9,"line_hashes":["220332388498290215213726294612743642964","335942912665976225110949355242464214081","286508034715687416815902777443473931615","195276513162238704053113346935851779543","53727082822104917753235367368246502408","310872518984056668347119424478769359078"]}}],"spl":"2022-03-01","fixes":["https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/4b04bf81f88385d9a364a6a6ef88e0025fd0f84a"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209611539.json"}},{"package":{"name":"platform/packages/apps/ManagedProvisioning","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-03-01"}]}],"versions":["12"],"ecosystem_specific":{"severity":"High","types":["EoP"],"vanir_signatures":[{"target":{"file":"src/com/android/managedprovisioning/common/SetupLayoutActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/a07188111567974bc8a2c817825c28169c589535","signature_type":"Line","deprecated":false,"signature_version":"v1","id":"ASB-A-209611539-1749addc","digest":{"threshold":0.9,"line_hashes":["314336311971156495770716358307085283278","57288772857243715499003298683184410612","167039254005696276617368158317989525581","194597702290193553871435272377110277713","62972918542328533708134472281361535958"]}},{"target":{"function":"onCreate","file":"src/com/android/managedprovisioning/common/SetupLayoutActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/a07188111567974bc8a2c817825c28169c589535","signature_type":"Function","deprecated":false,"signature_version":"v1","id":"ASB-A-209611539-be270d63","digest":{"length":513,"function_hash":"138985004227445478747826064386264047309"}}],"spl":"2022-03-01","fixes":["https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/a07188111567974bc8a2c817825c28169c589535"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209611539.json"}},{"package":{"name":"platform/packages/apps/ManagedProvisioning","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-03-01"}]}],"versions":["12L"],"ecosystem_specific":{"severity":"High","types":["EoP"],"vanir_signatures":[{"target":{"file":"src/com/android/managedprovisioning/common/SetupLayoutActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/a07188111567974bc8a2c817825c28169c589535","signature_type":"Line","deprecated":false,"signature_version":"v1","id":"ASB-A-209611539-373c73e1","digest":{"threshold":0.9,"line_hashes":["314336311971156495770716358307085283278","57288772857243715499003298683184410612","167039254005696276617368158317989525581","194597702290193553871435272377110277713","62972918542328533708134472281361535958"]}},{"target":{"function":"onCreate","file":"src/com/android/managedprovisioning/common/SetupLayoutActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/a07188111567974bc8a2c817825c28169c589535","signature_type":"Function","deprecated":false,"signature_version":"v1","id":"ASB-A-209611539-fc94c1ba","digest":{"length":513,"function_hash":"138985004227445478747826064386264047309"}}],"spl":"2022-03-01","fixes":["https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/a07188111567974bc8a2c817825c28169c589535"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209611539.json"}}],"schema_version":"1.7.5"}