{"id":"ASB-A-239701237","details":"In writeApplicationRestrictionsLAr of UserManagerService.java, there is a possible overwrite of system files due to a path traversal error. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-239701237","CVE-2022-20449"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2022-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/1b9b59c63bffc675a042cba6cd666831abef2c3e"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-12-01"}]}],"versions":["10"],"ecosystem_specific":{"types":["DoS"],"spl":"2022-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/cfcfe6ca8c545f78603c05e23687f8638fd4b51d"],"severity":"High","vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/pm/UserManagerService.java"},"signature_type":"Line","deprecated":false,"id":"ASB-A-239701237-08a5238b","digest":{"line_hashes":["60676264421018491029098267007649352048","96880129610797312730379785827976580551","8916979314763594955163789788798071519","190311535256337988751608138939726760505","17941578793664301904950243975030905922","197600117250010257420588618957093355606","53797310922398388453958968680970082509","17234656718489223855727244315471540302","4494566512991468182257035036658827013","308688002306591719534515716485546701452","292882381086839317005526967849453008923"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/cfcfe6ca8c545f78603c05e23687f8638fd4b51d"},{"digest":{"length":553,"function_hash":"3665991346729794305463037127088892183"},"target":{"function":"setApplicationRestrictions","file":"services/core/java/com/android/server/pm/UserManagerService.java"},"deprecated":false,"id":"ASB-A-239701237-8b04e4e2","signature_type":"Function","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/cfcfe6ca8c545f78603c05e23687f8638fd4b51d"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239701237.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-12-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["DoS"],"spl":"2022-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/cfcfe6ca8c545f78603c05e23687f8638fd4b51d"],"severity":"High","vanir_signatures":[{"signature_type":"Line","digest":{"line_hashes":["60676264421018491029098267007649352048","96880129610797312730379785827976580551","8916979314763594955163789788798071519","190311535256337988751608138939726760505","17941578793664301904950243975030905922","197600117250010257420588618957093355606","53797310922398388453958968680970082509","17234656718489223855727244315471540302","4494566512991468182257035036658827013","308688002306591719534515716485546701452","292882381086839317005526967849453008923"],"threshold":0.9},"deprecated":false,"id":"ASB-A-239701237-5b74ef30","target":{"file":"services/core/java/com/android/server/pm/UserManagerService.java"},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/cfcfe6ca8c545f78603c05e23687f8638fd4b51d"},{"signature_type":"Function","digest":{"length":553,"function_hash":"3665991346729794305463037127088892183"},"deprecated":false,"id":"ASB-A-239701237-feb6426a","target":{"function":"setApplicationRestrictions","file":"services/core/java/com/android/server/pm/UserManagerService.java"},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/cfcfe6ca8c545f78603c05e23687f8638fd4b51d"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239701237.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-12-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["DoS"],"spl":"2022-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/1b9b59c63bffc675a042cba6cd666831abef2c3e"],"severity":"High","vanir_signatures":[{"digest":{"line_hashes":["8726669358009533754711768650652471102","297095608694449044964208227087478768880","328639330774714907100642728544503363204","17852590006241573587183847420349458720","180574211167961718387810598829512067092","270447186769324840768603429604711616687","291492784790979532703841348606774441797","17234656718489223855727244315471540302","4494566512991468182257035036658827013","100067285054918524368057218554415546387","211161732107471073183069677845043101530"],"threshold":0.9},"target":{"file":"services/core/java/com/android/server/pm/UserManagerService.java"},"deprecated":false,"id":"ASB-A-239701237-f2c58b61","signature_type":"Line","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/1b9b59c63bffc675a042cba6cd666831abef2c3e"},{"signature_type":"Function","digest":{"function_hash":"23443127663564534087095444263018226139","length":634},"deprecated":false,"id":"ASB-A-239701237-f3d19096","target":{"function":"setApplicationRestrictions","file":"services/core/java/com/android/server/pm/UserManagerService.java"},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/1b9b59c63bffc675a042cba6cd666831abef2c3e"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239701237.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-12-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["DoS"],"spl":"2022-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/1b9b59c63bffc675a042cba6cd666831abef2c3e"],"severity":"High","vanir_signatures":[{"signature_type":"Function","digest":{"length":634,"function_hash":"23443127663564534087095444263018226139"},"deprecated":false,"id":"ASB-A-239701237-48c7650c","target":{"function":"setApplicationRestrictions","file":"services/core/java/com/android/server/pm/UserManagerService.java"},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/1b9b59c63bffc675a042cba6cd666831abef2c3e"},{"signature_type":"Line","digest":{"line_hashes":["8726669358009533754711768650652471102","297095608694449044964208227087478768880","328639330774714907100642728544503363204","17852590006241573587183847420349458720","180574211167961718387810598829512067092","270447186769324840768603429604711616687","291492784790979532703841348606774441797","17234656718489223855727244315471540302","4494566512991468182257035036658827013","100067285054918524368057218554415546387","211161732107471073183069677845043101530"],"threshold":0.9},"deprecated":false,"id":"ASB-A-239701237-83f36119","target":{"file":"services/core/java/com/android/server/pm/UserManagerService.java"},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/1b9b59c63bffc675a042cba6cd666831abef2c3e"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-239701237.json"}}],"schema_version":"1.7.5"}