CVE-2023-21265

HIGH

Android - Improper Certificate Validation

Title source: llm

Description

In multiple locations, there are root CA certificates which need to be disabled. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

References (2)

Core 2

Core References

Patch

https://android.googlesource.com/platform/system/ca-certificates/+/6065b4a4c7da9cc9ee01c2f6389575647d2724c4

Patch, Vendor Advisory

https://source.android.com/security/bulletin/2023-08-01

Scores

CVSS v3 7.5

EPSS 0.0028

EPSS Percentile 19.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (4)

google/android 11.0

google/android 12.0

google/android 13.0

google/android 13.1

Published Aug 14, 2023

Tracked Since Feb 18, 2026