CVE-2023-21237
MEDIUM KEVAndroid 13 - Local Information Disclosure via NotificationContentInflater
Title source: llmExploitation Summary
CVE-2023-21237 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 5, 2024.
Description
In applyRemoteView of NotificationContentInflater.java, there is a possible way to hide foreground service notification due to misleading or insufficient UI. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-251586912
References (2)
Core 2
Core References
Vendor Advisory
https://source.android.com/security/bulletin/pixel/2023-06-01
Third Party Advisory, US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-21237
Scores
CVSS v3
5.5
EPSS
0.0098
EPSS Percentile
77.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
partial
Details
CISA KEV
2024-03-05
VulnCheck KEV
2023-06-13
InTheWild.io
2024-03-05
ENISA EUVD
EUVD-2023-25405
CWE
CWE-200
Status
published
Products (1)
google/android
13.0
Published
Jun 28, 2023
KEV Added
Mar 05, 2024
Tracked Since
Feb 18, 2026