CVE-2022-20347: 
NixOS vulnerability analysis and mitigation

CVE-2022-20347 is a permission bypass vulnerability discovered in the onAttach function of ConnectedDeviceDashboardFragment.java in Android. The vulnerability affects Android versions 10, 11, 12, and 12L. This security flaw was disclosed in August 2022 and allows potential remote escalation of privilege in Bluetooth settings without requiring additional execution privileges or user interaction (Android Security Bulletin, NVD).

The vulnerability stems from a confused deputy issue in the onAttach function of ConnectedDeviceDashboardFragment.java. The CVSS v3.1 base score is 8.8 (HIGH), with the following vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited with adjacent network access, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

If exploited, this vulnerability could lead to remote escalation of privilege specifically within Bluetooth settings. The high CVSS score indicates that successful exploitation could result in significant compromise of system confidentiality, integrity, and availability (NVD).

Google addressed this vulnerability in the Android Security Bulletin for August 2022. Users should ensure their Android devices are updated with the security patch level of August 1, 2022, or later to protect against this vulnerability (Android Security Bulletin).