CVE-2022-20289: 
NixOS vulnerability analysis and mitigation

In PackageInstaller on Android 13, there exists a vulnerability (CVE-2022-20289) that allows determining whether an app is installed without query permissions through side channel information disclosure. The vulnerability was disclosed in the Android security bulletin and affects Android version 13.0 (Android Bulletin).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires local access, low attack complexity, low privileges, and no user interaction to exploit. The vulnerability can lead to high confidentiality impact but does not affect integrity or availability (NVD).

The vulnerability allows an attacker to determine whether specific applications are installed on the device without having the necessary query permissions. This represents a local information disclosure vulnerability that could potentially be used for targeted attacks or surveillance (NVD).

The vulnerability has been addressed in Android 13 security updates. Users should ensure their devices are updated with the latest security patches provided through the Android security bulletin (Android Bulletin).