{"id":"ASB-A-221040577","details":"In onPackageAddedInternal of PermissionManagerService.java, there is a possible way to silently grant a permission after a Target SDK update due to a permissions bypass. This could lead to local escalation of privilege after updating an app to a higher Target SDK with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-221040577","CVE-2023-20906"],"modified":"2026-04-29T15:10:00.007170Z","published":"2023-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/5e80fcf8c423f288a87d727f48ae38112177d716"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-03-01"}]}],"versions":["13-next"],"ecosystem_specific":{"spl":"2023-03-01","vanir_signatures":[{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/e6efe583f98644440f675bb2cc5a75d665ca31c9","signature_version":"v1","id":"ASB-A-221040577-3f6453eb","digest":{"threshold":0.9,"line_hashes":["332912690824931462244194323491242883782","259989983721407450859979620886065752986","38869589564361465266772387587708486935","55540827721963568973809242028415986211","336942483118682634612537402811980972292","240623499310114656397924907302367732384","49116731288914950667429861431582766175"]},"signature_type":"Line"},{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java","function":"onPackageAddedInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/e6efe583f98644440f675bb2cc5a75d665ca31c9","signature_version":"v1","id":"ASB-A-221040577-d706e222","digest":{"function_hash":"254934654226332861981312680198584974655","length":1171},"signature_type":"Function"}],"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/e6efe583f98644440f675bb2cc5a75d665ca31c9"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221040577.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-03-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2023-03-01","vanir_signatures":[{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceInternal.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a","signature_version":"v1","id":"ASB-A-221040577-2031bccb","digest":{"threshold":0.9,"line_hashes":["63617228123231389157678444016981042758","307817833435620765044176194408880760069","145625110771803479936844521300901125064","95493312720080284709043055752853624397","243996333839111971992555695183695671801","334509522104777894484931643752337482002","138150838695361478392070281702230292223","278604607850135422571958282041771463121","22656488853290935534549218894676931759","25290995885617357257344267291092550861","100417968865404874609375927335168003552"]},"signature_type":"Line"},{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a","signature_version":"v1","id":"ASB-A-221040577-46984a93","digest":{"threshold":0.9,"line_hashes":["30553861861542596536484849737338142538","64422473440631326362935125530765734808","66617370866194042534636165393138419215","253486867763259364198838821018249159346","234427732332460419683280325131817786104","170751048600913403647270996771904538081","315552169768819034331054160079121776308","19079637256359424495946882261832414760","58624928594643985245701146764633234660","60342793402009383795077237736412838416","260836991285810948609356616388936811191","103647162603698848244913627223363131578","80879277292638886615080913027510501208","40119369577325674107995636609886042298","195666147893739222628403882447240346435","303660049123680962705019011860582343065","148437318290529669344121565119150032859","86349647666249459856572696221300111365"]},"signature_type":"Line"},{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a","signature_version":"v1","id":"ASB-A-221040577-6769a809","digest":{"threshold":0.9,"line_hashes":["211944118180056668024505643965069121348","101383814151195122333233703118074256060","100153087899313758591344044118174399317","8623634095673080074026369860095805136","200222505482104338504794180945021285318","191042270520810155457571782397370298001"]},"signature_type":"Line"},{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java","function":"commitPackageSettings"},"source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a","signature_version":"v1","id":"ASB-A-221040577-a4636b68","digest":{"function_hash":"186704004956831636458598013952277793202","length":5056},"signature_type":"Function"},{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java","function":"revokeRuntimePermissionsIfGroupChanged"},"source":"https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a","signature_version":"v1","id":"ASB-A-221040577-ff06d8d4","digest":{"function_hash":"176798206311331559845208305831929425920","length":192},"signature_type":"Function"}],"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f30a63b11e59f9daf42f51eb85aa91c86f4baf4","https://android.googlesource.com/platform/frameworks/base/+/14551ab6d2c754d83d6b504549aabb40018d9c6a"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221040577.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-03-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2023-03-01","vanir_signatures":[{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/5e80fcf8c423f288a87d727f48ae38112177d716","signature_version":"v1","id":"ASB-A-221040577-94290be3","digest":{"threshold":0.9,"line_hashes":["332912690824931462244194323491242883782","259989983721407450859979620886065752986","38869589564361465266772387587708486935","55540827721963568973809242028415986211","336942483118682634612537402811980972292","240623499310114656397924907302367732384","49116731288914950667429861431582766175"]},"signature_type":"Line"},{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java","function":"onPackageAddedInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/5e80fcf8c423f288a87d727f48ae38112177d716","signature_version":"v1","id":"ASB-A-221040577-c64d9b5c","digest":{"function_hash":"254934654226332861981312680198584974655","length":1171},"signature_type":"Function"}],"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/5e80fcf8c423f288a87d727f48ae38112177d716"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221040577.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-03-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2023-03-01","vanir_signatures":[{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2509b12e6fc921c855e16471a8b6648535626f1d","signature_version":"v1","id":"ASB-A-221040577-883a94cf","digest":{"threshold":0.9,"line_hashes":["332912690824931462244194323491242883782","259989983721407450859979620886065752986","38869589564361465266772387587708486935","55540827721963568973809242028415986211","336942483118682634612537402811980972292","240623499310114656397924907302367732384","49116731288914950667429861431582766175"]},"signature_type":"Line"},{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerService.java","function":"onPackageAddedInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2509b12e6fc921c855e16471a8b6648535626f1d","signature_version":"v1","id":"ASB-A-221040577-db99635e","digest":{"function_hash":"254934654226332861981312680198584974655","length":1171},"signature_type":"Function"}],"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2509b12e6fc921c855e16471a8b6648535626f1d"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221040577.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-03-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-03-01","vanir_signatures":[{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java","function":"onPackageAddedInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/fba194b998cf22d073a36cb5c6f9397c2dc1a50e","signature_version":"v1","id":"ASB-A-221040577-249277d7","digest":{"function_hash":"254934654226332861981312680198584974655","length":1171},"signature_type":"Function"},{"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/fba194b998cf22d073a36cb5c6f9397c2dc1a50e","signature_version":"v1","id":"ASB-A-221040577-fd402e7c","digest":{"threshold":0.9,"line_hashes":["332912690824931462244194323491242883782","259989983721407450859979620886065752986","38869589564361465266772387587708486935","55540827721963568973809242028415986211","336942483118682634612537402811980972292","240623499310114656397924907302367732384","49116731288914950667429861431582766175"]},"signature_type":"Line"}],"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/fba194b998cf22d073a36cb5c6f9397c2dc1a50e"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221040577.json"}}],"schema_version":"1.7.5"}