{"id":"ASB-A-240138294","details":"In readLazyValue of Parcel.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-240138294","CVE-2022-20474"],"modified":"2026-05-01T15:24:27.653932Z","published":"2022-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/569c3023f839bca077cd3cccef0a3bef9c31af63"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/1e41d33566f84f624f6a755e4493432d5bd82915"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-12-01"}]}],"versions":["10"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"length":2612,"function_hash":"220950197671026908620116892012269337281"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-00727c86","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["65744354714521746236409576191947554438","336100995050413396604471046648600747849","46174948320726816946394223971298634080","204359576054625082268789891801367566762","208991286625372726279956857582409591002","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","131094452132685235150002717794774811759","218046355958882751674254932052378610608","202670327038763020310835509548705256826","319808544072902901818988794735872465308","294963086035200924983677506496592561929","266889227588429636352149285826247001618","287536587174859972781888474519565795358","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513"]},"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-083f2460","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}},{"signature_version":"v1","digest":{"length":2210,"function_hash":"283194143277269717748301748310619667576"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-48619685","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"length":1604,"function_hash":"156948064075838632746183658421607701443"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-70c5336a","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"length":1167,"function_hash":"38370320216997995420236719490943001759"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-aa21fefb","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"checkKeyIntent"}},{"signature_version":"v1","digest":{"length":5385,"function_hash":"106863402836542716138093788315930033614"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-f0320297","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"getAuthToken"}}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82"],"spl":"2022-12-01","types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-240138294.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-12-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"length":5385,"function_hash":"106863402836542716138093788315930033614"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-139dbec5","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"getAuthToken"}},{"signature_version":"v1","digest":{"length":1167,"function_hash":"38370320216997995420236719490943001759"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-1436e0f9","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"checkKeyIntent"}},{"signature_version":"v1","digest":{"length":1604,"function_hash":"156948064075838632746183658421607701443"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-1732870c","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"length":2612,"function_hash":"220950197671026908620116892012269337281"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-2b210912","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"length":2210,"function_hash":"283194143277269717748301748310619667576"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-7fbdde97","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["65744354714521746236409576191947554438","336100995050413396604471046648600747849","46174948320726816946394223971298634080","204359576054625082268789891801367566762","208991286625372726279956857582409591002","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","131094452132685235150002717794774811759","218046355958882751674254932052378610608","202670327038763020310835509548705256826","319808544072902901818988794735872465308","294963086035200924983677506496592561929","266889227588429636352149285826247001618","287536587174859972781888474519565795358","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513"]},"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-b3500800","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82"],"spl":"2022-12-01","types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-240138294.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-12-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"length":2210,"function_hash":"283194143277269717748301748310619667576"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-0bab2a56","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"length":1167,"function_hash":"38370320216997995420236719490943001759"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-0ce8adbc","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"checkKeyIntent"}},{"signature_version":"v1","digest":{"length":5385,"function_hash":"106863402836542716138093788315930033614"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-3d4a9fae","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"getAuthToken"}},{"signature_version":"v1","digest":{"length":1604,"function_hash":"156948064075838632746183658421607701443"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-421b1bbd","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["65744354714521746236409576191947554438","336100995050413396604471046648600747849","46174948320726816946394223971298634080","204359576054625082268789891801367566762","208991286625372726279956857582409591002","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","131094452132685235150002717794774811759","218046355958882751674254932052378610608","202670327038763020310835509548705256826","319808544072902901818988794735872465308","294963086035200924983677506496592561929","266889227588429636352149285826247001618","287536587174859972781888474519565795358","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513"]},"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-eeb2db13","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}},{"signature_version":"v1","digest":{"length":2612,"function_hash":"220950197671026908620116892012269337281"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-ff13d04d","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82"],"spl":"2022-12-01","types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-240138294.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-12-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"length":1604,"function_hash":"156948064075838632746183658421607701443"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-03adb9b5","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"length":1167,"function_hash":"38370320216997995420236719490943001759"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-175b0f49","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"checkKeyIntent"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["65744354714521746236409576191947554438","336100995050413396604471046648600747849","46174948320726816946394223971298634080","204359576054625082268789891801367566762","208991286625372726279956857582409591002","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","131094452132685235150002717794774811759","218046355958882751674254932052378610608","202670327038763020310835509548705256826","319808544072902901818988794735872465308","294963086035200924983677506496592561929","266889227588429636352149285826247001618","287536587174859972781888474519565795358","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513"]},"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-79172dc1","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}},{"signature_version":"v1","digest":{"length":2210,"function_hash":"283194143277269717748301748310619667576"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-8878cac2","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"length":5385,"function_hash":"106863402836542716138093788315930033614"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-bda1d53e","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"getAuthToken"}},{"signature_version":"v1","digest":{"length":2612,"function_hash":"220950197671026908620116892012269337281"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82","id":"ASB-A-240138294-dd9281ac","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82"],"spl":"2022-12-01","types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-240138294.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-12-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"length":1140,"function_hash":"119819233901957715080604570772080806263"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329","id":"ASB-A-240138294-0152ae22","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"checkKeyIntent"}},{"signature_version":"v1","digest":{"length":362,"function_hash":"65631911930041298540002693789372037050"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/34683275498914ece5ee9435846b7b429ccfc964","id":"ASB-A-240138294-05719152","deprecated":false,"target":{"file":"core/java/android/os/Parcel.java","function":"readLazyValue"}},{"signature_version":"v1","digest":{"length":5627,"function_hash":"172104913434305629063826639954111096960"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329","id":"ASB-A-240138294-11ef425f","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"getAuthToken"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["231045337660171488666168590541471054540","248523352219235644303151030262148233029","314133701034599983666413107751200451172","252501481589049757718974268511663338499"]},"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/34683275498914ece5ee9435846b7b429ccfc964","id":"ASB-A-240138294-1e47334d","deprecated":false,"target":{"file":"core/java/android/os/Parcel.java"}},{"signature_version":"v1","digest":{"length":2210,"function_hash":"283194143277269717748301748310619667576"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329","id":"ASB-A-240138294-2062c6cd","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"length":2612,"function_hash":"220950197671026908620116892012269337281"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329","id":"ASB-A-240138294-2e349a7e","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"length":1604,"function_hash":"156948064075838632746183658421607701443"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329","id":"ASB-A-240138294-d1d77d12","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java","function":"onResult"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["197401720662816539459617790767298463363","297452927230242983594296518816596032312","243543373481505492379459454436153318386","204359576054625082268789891801367566762","208991286625372726279956857582409591002","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513","131094452132685235150002717794774811759","218046355958882751674254932052378610608","202670327038763020310835509548705256826","319808544072902901818988794735872465308","294963086035200924983677506496592561929","266889227588429636352149285826247001618","287536587174859972781888474519565795358","73315145992809006133637400549815878830","294424605946274934913008858286110933628","39620355197721807861858985648559892713","122050568306174614461067255367068473513"]},"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329","id":"ASB-A-240138294-f61d7e48","deprecated":false,"target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/34683275498914ece5ee9435846b7b429ccfc964","https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329"],"spl":"2022-12-01","types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-240138294.json"}}],"schema_version":"1.7.5"}