{"id":"ASB-A-210065877","details":"In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way to bypass user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-210065877","CVE-2022-20450"],"modified":"2026-04-30T15:48:46.890647Z","published":"2022-11-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-11-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/0873a30210d6425ffb28021000ef3fe40a8da711"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-11-01"}]}],"versions":["11"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4","id":"ASB-A-210065877-7f44be55","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"restorePermissionState","file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"},"digest":{"function_hash":"313395618697061706143828738755605122814","length":10816}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4","id":"ASB-A-210065877-82e03571","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"digest":{"threshold":0.9,"line_hashes":["70337220111095111239554531117300270560","37680386246374956347998185350697731801","194092347827170068529915649080525668756","37904075820297233052904941461534405475"]}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4","id":"ASB-A-210065877-b9c7d2ac","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"},"digest":{"threshold":0.9,"line_hashes":["192329061750754579635130939936978434760","180845804502122717465318985068976461465","177498258042140996260575903969205252874","157672850619058297516428766977646296191","49957728695482223994996026688992799860","155700006602593996535553090055359115192","189503656619447869696913099614599607398","332805842555046017036491288664338011557","52131025358373768466184263356344105817","138745309758142223385199693376003711444","291971255444764233347146488762018284859","349162356191215844468090734286535060","163690546655641809481703346611962914311","173906844637934707168991241424116221235","171342722970669750398215088449046445017","293841873522683363379165884003241045615","156316419184537633419863264451999548929","198141498415930033094452607809662987630","60549211253879352751947260189873568675","191085721430628901071938960134422239855","236732265184660035366467935863000898408","75407180318704451699303769443305508093"]}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/f11f26c0121152ffa5c8493ebbedb9fd369ec6c4","id":"ASB-A-210065877-d5ede725","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/core/java/android/content/pm/PackageManagerInternal.java"},"digest":{"threshold":0.9,"line_hashes":["140733965518960597410749120412513228337","133000066657174067784792790976086256649"]}}],"types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-210065877.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-11-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/23aac9cb8eb4545a79bafef3c14864e0aa59e228"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/23aac9cb8eb4545a79bafef3c14864e0aa59e228","id":"ASB-A-210065877-0d418034","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"},"digest":{"threshold":0.9,"line_hashes":["204068925692065732622297449105718764950","189002681868105969675858536182292719692","27119499515421481643088173525291392512","309020344221767103913966043106851831373","94532263032810138178452766913210053001","145770841673157355582929213949103756484","121858566232927313939010965935187168921","177498258042140996260575903969205252874","157672850619058297516428766977646296191","122586252879616957845736246789726967874","49295243026898906572170636147125349825","140287879494077765913243099683714685357","338583801412692770865376243698492200826","312154753232476171165435569596566928389","251327487216216132552046834505879001760","272786978245618890801536400053749027092","16755325034230407185356123000104119490","266325398593348129313837249785764061006","81183483232826653128425546244167158126","89583781141578730997026421727059260226","137025581340638661145686941050757022756","247875880308441436746754417505263827341","107383290604112603127335460872191143314","259745650538462562304317647837850807378","110635991185879868564817031942272871690","81522928803926506048863656976925063374","233020365937013684941229783684964983097","68476467424128480975241919625541521298","52764643450515969104304985049234796646","62950841911947415746268478580969992406","236732265184660035366467935863000898408","75407180318704451699303769443305508093","108587633537507210242609878158511307392","223346374230332314202607025582642319083","25769565521317829918966238158725570349","35018291119125253438113329575662430308","51657818545401116001910514239752911792","277889238348594391941544173186934120630","212104117500095294343351554471806212485","256620539703273529247375758003833936612"]}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/23aac9cb8eb4545a79bafef3c14864e0aa59e228","id":"ASB-A-210065877-fe0a9f79","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"restorePermissionState","file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"},"digest":{"function_hash":"122957904428876774460389341088842378663","length":8765}}],"types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-210065877.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-11-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/dd48aab843ff7b19fa5fbde987d84b76c92922f2"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/dd48aab843ff7b19fa5fbde987d84b76c92922f2","id":"ASB-A-210065877-5d9ce940","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"restorePermissionState","file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"},"digest":{"function_hash":"122957904428876774460389341088842378663","length":8765}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/dd48aab843ff7b19fa5fbde987d84b76c92922f2","id":"ASB-A-210065877-90f2fda1","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"},"digest":{"threshold":0.9,"line_hashes":["204068925692065732622297449105718764950","189002681868105969675858536182292719692","27119499515421481643088173525291392512","309020344221767103913966043106851831373","94532263032810138178452766913210053001","145770841673157355582929213949103756484","121858566232927313939010965935187168921","177498258042140996260575903969205252874","157672850619058297516428766977646296191","122586252879616957845736246789726967874","49295243026898906572170636147125349825","140287879494077765913243099683714685357","338583801412692770865376243698492200826","312154753232476171165435569596566928389","251327487216216132552046834505879001760","272786978245618890801536400053749027092","16755325034230407185356123000104119490","266325398593348129313837249785764061006","81183483232826653128425546244167158126","89583781141578730997026421727059260226","137025581340638661145686941050757022756","247875880308441436746754417505263827341","107383290604112603127335460872191143314","259745650538462562304317647837850807378","110635991185879868564817031942272871690","81522928803926506048863656976925063374","233020365937013684941229783684964983097","68476467424128480975241919625541521298","52764643450515969104304985049234796646","62950841911947415746268478580969992406","236732265184660035366467935863000898408","75407180318704451699303769443305508093","108587633537507210242609878158511307392","223346374230332314202607025582642319083","25769565521317829918966238158725570349","35018291119125253438113329575662430308","51657818545401116001910514239752911792","277889238348594391941544173186934120630","212104117500095294343351554471806212485","256620539703273529247375758003833936612"]}}],"types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-210065877.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-11-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/41dc761e081d8c6de48ddc3b960e12e4fd24c8b7"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/41dc761e081d8c6de48ddc3b960e12e4fd24c8b7","id":"ASB-A-210065877-1e2ada85","signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java"},"digest":{"threshold":0.9,"line_hashes":["204068925692065732622297449105718764950","189002681868105969675858536182292719692","27119499515421481643088173525291392512","309020344221767103913966043106851831373","94532263032810138178452766913210053001","145770841673157355582929213949103756484","121858566232927313939010965935187168921","177498258042140996260575903969205252874","157672850619058297516428766977646296191","122586252879616957845736246789726967874","49295243026898906572170636147125349825","140287879494077765913243099683714685357","338583801412692770865376243698492200826","312154753232476171165435569596566928389","251327487216216132552046834505879001760","272786978245618890801536400053749027092","16755325034230407185356123000104119490","266325398593348129313837249785764061006","81183483232826653128425546244167158126","89583781141578730997026421727059260226","137025581340638661145686941050757022756","247875880308441436746754417505263827341","107383290604112603127335460872191143314","259745650538462562304317647837850807378","110635991185879868564817031942272871690","81522928803926506048863656976925063374","233020365937013684941229783684964983097","68476467424128480975241919625541521298","52764643450515969104304985049234796646","62950841911947415746268478580969992406","236732265184660035366467935863000898408","75407180318704451699303769443305508093","108587633537507210242609878158511307392","223346374230332314202607025582642319083","25769565521317829918966238158725570349","35018291119125253438113329575662430308","51657818545401116001910514239752911792","277889238348594391941544173186934120630","212104117500095294343351554471806212485","256620539703273529247375758003833936612"]}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/41dc761e081d8c6de48ddc3b960e12e4fd24c8b7","id":"ASB-A-210065877-7f63d209","signature_version":"v1","signature_type":"Function","deprecated":false,"target":{"function":"restorePermissionState","file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java"},"digest":{"function_hash":"49249527759310573510656247232703678512","length":9214}}],"types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-210065877.json"}}],"schema_version":"1.7.5"}