{"id":"ASB-A-246301995","details":"In onActivityResult of AvatarPickerActivity.java, there is a possible way to access images belonging to other users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-246301995","CVE-2023-20912"],"modified":"2026-04-17T15:55:28.020024Z","published":"2023-01-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-01-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/f43df6ae00abc070b459f861f40eca736f73d381"}],"affected":[{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-01-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-01-01","types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/db654251f2754d1a4778111eace8086bc8b44959"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-246301995.json"}}],"schema_version":"1.7.5"}