{"id":"ASB-A-243378132","details":"In onPackageRemoved of AccessibilityManagerService.java, there is a possibility to automatically grant accessibility services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-243378132","CVE-2023-20921"],"modified":"2026-04-30T15:48:46.890647Z","published":"2023-01-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-01-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/7cad088a533f967d94c8d436b609e4ed2b184897"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2023-01-01"}]}],"versions":["10"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["236631357762625178675023541390441752221","10595195653811829102514404699409020643","118646039670723451812982949215475581031","308106080403074465601407965368341122746","257531265060042935403164492950648892981","29846843808137443483246000717080862150","166691140886119245516343242551824859128","301596378629914302364551311646528725673","143018679850793703375987037922897840918","291707394074430904116119120004350413287","122714709178344749347158447730012232573","304452781087085710561676062515564431274","26484132709224229574958746359851073956","207719386867169009892832194776872560967","186460278978359319341555873407909587196","318161903193323979827882538396094327559","335742583378191237584529136782329445411","182076733878820234577063963982364458997","188634755782281652840004754257306185162","293949540968280903538352693917672011553","108587633537507210242609878158511307392","295747577431459138783214723720080232905"],"threshold":0.9},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"id":"ASB-A-243378132-31cc3c7c","source":"https://android.googlesource.com/platform/frameworks/base/+/37966299859153377e61a6a97b036388d231c2d0"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":749,"function_hash":"41468928610322268501338051732645977169"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"onPackageRemoved"},"id":"ASB-A-243378132-c0ae94d4","source":"https://android.googlesource.com/platform/frameworks/base/+/37966299859153377e61a6a97b036388d231c2d0"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":4324,"function_hash":"330331932412139811646432065080055047"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"registerBroadcastReceivers"},"id":"ASB-A-243378132-d687118d","source":"https://android.googlesource.com/platform/frameworks/base/+/37966299859153377e61a6a97b036388d231c2d0"}],"spl":"2023-01-01","severity":"High","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/37966299859153377e61a6a97b036388d231c2d0"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243378132.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-01-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":917,"function_hash":"122592281931139715014269638805728949640"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"onPackageRemoved"},"id":"ASB-A-243378132-5a689cbf","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":5358,"function_hash":"213937848733813786983288430467818877027"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"registerBroadcastReceivers"},"id":"ASB-A-243378132-cca3e3a2","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"},{"signature_version":"v1","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["120544117324700545087338990654297186575","298300173742793367670243473200708659368","75028889963202810443403858792404514626","1814652559885654915609354500658874335","18432821694174943006265164083414281214","293554040932675007454802700746005267112","22732033932196370463803681708292818366","225326834748319365348113367094016570252","297015841027970518372091856753329288334","122714709178344749347158447730012232573","304452781087085710561676062515564431274","26484132709224229574958746359851073956","207719386867169009892832194776872560967","186460278978359319341555873407909587196","318161903193323979827882538396094327559","335742583378191237584529136782329445411","182076733878820234577063963982364458997","188634755782281652840004754257306185162","293949540968280903538352693917672011553","108587633537507210242609878158511307392","295747577431459138783214723720080232905"],"threshold":0.9},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"id":"ASB-A-243378132-d6839dd7","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"}],"spl":"2023-01-01","severity":"High","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243378132.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-01-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["120544117324700545087338990654297186575","298300173742793367670243473200708659368","75028889963202810443403858792404514626","1814652559885654915609354500658874335","18432821694174943006265164083414281214","293554040932675007454802700746005267112","22732033932196370463803681708292818366","225326834748319365348113367094016570252","297015841027970518372091856753329288334","122714709178344749347158447730012232573","304452781087085710561676062515564431274","26484132709224229574958746359851073956","207719386867169009892832194776872560967","186460278978359319341555873407909587196","318161903193323979827882538396094327559","335742583378191237584529136782329445411","182076733878820234577063963982364458997","188634755782281652840004754257306185162","293949540968280903538352693917672011553","108587633537507210242609878158511307392","295747577431459138783214723720080232905"],"threshold":0.9},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"id":"ASB-A-243378132-2c99561c","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":5358,"function_hash":"213937848733813786983288430467818877027"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"registerBroadcastReceivers"},"id":"ASB-A-243378132-c30fe324","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":917,"function_hash":"122592281931139715014269638805728949640"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"onPackageRemoved"},"id":"ASB-A-243378132-ec319c69","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"}],"spl":"2023-01-01","severity":"High","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243378132.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-01-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":5358,"function_hash":"213937848733813786983288430467818877027"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"registerBroadcastReceivers"},"id":"ASB-A-243378132-0ae27b2c","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":917,"function_hash":"122592281931139715014269638805728949640"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"onPackageRemoved"},"id":"ASB-A-243378132-e5a9802f","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"},{"signature_version":"v1","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["120544117324700545087338990654297186575","298300173742793367670243473200708659368","75028889963202810443403858792404514626","1814652559885654915609354500658874335","18432821694174943006265164083414281214","293554040932675007454802700746005267112","22732033932196370463803681708292818366","225326834748319365348113367094016570252","297015841027970518372091856753329288334","122714709178344749347158447730012232573","304452781087085710561676062515564431274","26484132709224229574958746359851073956","207719386867169009892832194776872560967","186460278978359319341555873407909587196","318161903193323979827882538396094327559","335742583378191237584529136782329445411","182076733878820234577063963982364458997","188634755782281652840004754257306185162","293949540968280903538352693917672011553","108587633537507210242609878158511307392","295747577431459138783214723720080232905"],"threshold":0.9},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"id":"ASB-A-243378132-e79bcdfb","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"}],"spl":"2023-01-01","severity":"High","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243378132.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-01-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["120544117324700545087338990654297186575","298300173742793367670243473200708659368","75028889963202810443403858792404514626","1814652559885654915609354500658874335","18432821694174943006265164083414281214","293554040932675007454802700746005267112","22732033932196370463803681708292818366","225326834748319365348113367094016570252","297015841027970518372091856753329288334","122714709178344749347158447730012232573","304452781087085710561676062515564431274","26484132709224229574958746359851073956","207719386867169009892832194776872560967","186460278978359319341555873407909587196","318161903193323979827882538396094327559","335742583378191237584529136782329445411","182076733878820234577063963982364458997","188634755782281652840004754257306185162","293949540968280903538352693917672011553","108587633537507210242609878158511307392","295747577431459138783214723720080232905"],"threshold":0.9},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"id":"ASB-A-243378132-06c4a3e8","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":5358,"function_hash":"213937848733813786983288430467818877027"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"registerBroadcastReceivers"},"id":"ASB-A-243378132-ebe202a0","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"},{"signature_version":"v1","signature_type":"Function","deprecated":false,"digest":{"length":917,"function_hash":"122592281931139715014269638805728949640"},"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"onPackageRemoved"},"id":"ASB-A-243378132-ec23a969","source":"https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"}],"spl":"2023-01-01","severity":"High","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e1f343acdeeddd9a08c9f6c832faf788ce101763"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-243378132.json"}}],"schema_version":"1.7.5"}