CVE-2023-40076: Information disclosure in Google Android
In createPendingIntent of CredentialManagerUi.java, there is a possible way to access credentials from other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AI Analysis
Technical Summary
CVE-2023-40076 is a medium-severity vulnerability affecting Google Android version 14, specifically within the CredentialManagerUi.java component. The flaw resides in the createPendingIntent method, where a permissions bypass allows an attacker to access credentials belonging to other users on the same device. This vulnerability is classified under CWE-276, which relates to improper permissions or access control. Exploitation does not require user interaction, and no additional execution privileges beyond local access are needed, meaning an attacker with limited privileges on the device can escalate their access to sensitive credential information of other users. The vulnerability impacts confidentiality by exposing sensitive credential data but does not affect integrity or availability. The CVSS 3.1 base score is 5.5, reflecting a medium severity with an attack vector limited to local access (AV:L), low attack complexity (AC:L), and requiring low privileges (PR:L). There is no indication of known exploits in the wild, and no patches are currently linked, suggesting that mitigation may rely on forthcoming updates or configuration changes. The vulnerability could be leveraged by malicious local applications or users to gain unauthorized access to credentials, potentially leading to further compromise of user accounts or services tied to those credentials.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments where Android 14 devices are used and shared among multiple users or where multiple user profiles exist on a single device. The exposure of credentials could lead to unauthorized access to corporate resources, internal applications, or sensitive personal data, undermining confidentiality and potentially facilitating lateral movement within enterprise networks. Organizations with Bring Your Own Device (BYOD) policies or shared device scenarios are particularly at risk. The lack of required user interaction and the ability to exploit the vulnerability with low privileges increase the threat level in environments with less stringent device access controls. While the vulnerability does not directly impact system integrity or availability, the compromise of credentials can lead to broader security incidents, including data breaches or unauthorized access to cloud services and enterprise applications. Given the widespread use of Android devices in Europe for both personal and professional purposes, the vulnerability could have significant implications if exploited in targeted attacks against high-value users or sectors such as finance, government, or critical infrastructure.
Mitigation Recommendations
To mitigate CVE-2023-40076, European organizations should: 1) Monitor for and promptly apply official security patches from Google or device manufacturers once available, as no patches are currently linked. 2) Restrict local device access by enforcing strong device authentication methods and limiting the number of users or profiles on Android 14 devices, especially in shared or corporate environments. 3) Implement mobile device management (MDM) solutions that can enforce security policies, restrict installation of untrusted applications, and monitor for suspicious local privilege escalations. 4) Educate users on the risks of installing untrusted applications or granting excessive permissions, as local attackers may exploit this vulnerability via malicious apps. 5) Consider isolating sensitive credential stores or using hardware-backed security features such as Trusted Execution Environments (TEE) or StrongBox where possible to reduce the risk of credential exposure. 6) Conduct regular audits of device configurations and user permissions to detect and remediate potential misuse or unauthorized access. These steps go beyond generic advice by focusing on controlling local access vectors and preparing for patch deployment.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Belgium, Poland, Ireland
CVE-2023-40076: Information disclosure in Google Android
Description
In createPendingIntent of CredentialManagerUi.java, there is a possible way to access credentials from other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AI-Powered Analysis
Technical Analysis
CVE-2023-40076 is a medium-severity vulnerability affecting Google Android version 14, specifically within the CredentialManagerUi.java component. The flaw resides in the createPendingIntent method, where a permissions bypass allows an attacker to access credentials belonging to other users on the same device. This vulnerability is classified under CWE-276, which relates to improper permissions or access control. Exploitation does not require user interaction, and no additional execution privileges beyond local access are needed, meaning an attacker with limited privileges on the device can escalate their access to sensitive credential information of other users. The vulnerability impacts confidentiality by exposing sensitive credential data but does not affect integrity or availability. The CVSS 3.1 base score is 5.5, reflecting a medium severity with an attack vector limited to local access (AV:L), low attack complexity (AC:L), and requiring low privileges (PR:L). There is no indication of known exploits in the wild, and no patches are currently linked, suggesting that mitigation may rely on forthcoming updates or configuration changes. The vulnerability could be leveraged by malicious local applications or users to gain unauthorized access to credentials, potentially leading to further compromise of user accounts or services tied to those credentials.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments where Android 14 devices are used and shared among multiple users or where multiple user profiles exist on a single device. The exposure of credentials could lead to unauthorized access to corporate resources, internal applications, or sensitive personal data, undermining confidentiality and potentially facilitating lateral movement within enterprise networks. Organizations with Bring Your Own Device (BYOD) policies or shared device scenarios are particularly at risk. The lack of required user interaction and the ability to exploit the vulnerability with low privileges increase the threat level in environments with less stringent device access controls. While the vulnerability does not directly impact system integrity or availability, the compromise of credentials can lead to broader security incidents, including data breaches or unauthorized access to cloud services and enterprise applications. Given the widespread use of Android devices in Europe for both personal and professional purposes, the vulnerability could have significant implications if exploited in targeted attacks against high-value users or sectors such as finance, government, or critical infrastructure.
Mitigation Recommendations
To mitigate CVE-2023-40076, European organizations should: 1) Monitor for and promptly apply official security patches from Google or device manufacturers once available, as no patches are currently linked. 2) Restrict local device access by enforcing strong device authentication methods and limiting the number of users or profiles on Android 14 devices, especially in shared or corporate environments. 3) Implement mobile device management (MDM) solutions that can enforce security policies, restrict installation of untrusted applications, and monitor for suspicious local privilege escalations. 4) Educate users on the risks of installing untrusted applications or granting excessive permissions, as local attackers may exploit this vulnerability via malicious apps. 5) Consider isolating sensitive credential stores or using hardware-backed security features such as Trusted Execution Environments (TEE) or StrongBox where possible to reduce the risk of credential exposure. 6) Conduct regular audits of device configurations and user permissions to detect and remediate potential misuse or unauthorized access. These steps go beyond generic advice by focusing on controlling local access vectors and preparing for patch deployment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- google_android
- Date Reserved
- 2023-08-09T02:29:29.266Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68386826182aa0cae2801b53
Added to database: 5/29/2025, 1:59:02 PM
Last enriched: 7/8/2025, 2:59:41 AM
Last updated: 8/14/2025, 1:19:30 AM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.