CVE-2023-20912: 
NixOS vulnerability analysis and mitigation

In onActivityResult of AvatarPickerActivity.java in Android 13, there exists a vulnerability (CVE-2023-20912) that allows access to images belonging to other users due to a missing permission check. The vulnerability was disclosed in January 2023 and affects Android version 13 (Android Bulletin).

The vulnerability stems from insufficient validation of user fields within the AvatarPickerActivity.java component. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is characterized by a missing permission check in the onActivityResult method, which could lead to unauthorized access to user images (NVD).

The vulnerability can lead to local escalation of privilege with no additional execution privileges needed. An attacker could potentially access images belonging to other users on the device. The impact is significant as it affects user privacy and data confidentiality, with no user interaction required for exploitation (NVD).

The vulnerability was addressed in the Android Security Bulletin for January 2023. Users should ensure their Android devices are updated with the security patch level dated 2023-01-01 or later (Android Bulletin).