CVE-2023-40104
HIGHAndroid - Remote Information Disclosure via Untrusted Cryptographic Certificates
Title source: llmDescription
In ca-certificates, there is a possible way to read encrypted TLS data due to untrusted cryptographic certificates. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References (2)
Core 2
Core References
Mailing List, Patch
https://android.googlesource.com/platform/system/ca-certificates/+/91204b9fdbd77b3f27f94b73868607b2dccbfdad
Patch, Vendor Advisory
https://source.android.com/security/bulletin/2023-11-01
Scores
CVSS v3
7.5
EPSS
0.0031
EPSS Percentile
53.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (4)
google/android
11.0
google/android
12.0
google/android
12.1
google/android
13.0
Published
Feb 15, 2024
Tracked Since
Feb 18, 2026