CVE-2023-21117: 
NixOS vulnerability analysis and mitigation

In registerReceiverWithFeature of ActivityManagerService.java in Android 13, there exists a vulnerability that allows isolated processes to register a broadcast receiver due to a permissions bypass. This vulnerability (CVE-2023-21117) was disclosed in the Android Security Bulletin of May 2023 (Android Bulletin).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability exists in the ActivityManagerService.java component and specifically affects the registerReceiverWithFeature functionality. No additional execution privileges are needed for exploitation, and user interaction is not required (NVD).

A successful exploitation of this vulnerability could lead to local escalation of privilege. The vulnerability affects the confidentiality, integrity, and availability of the system, as indicated by the CVSS scoring. The attacker could potentially gain elevated privileges within the Android system through the permissions bypass mechanism (NVD).

The vulnerability was addressed in the Android Security Bulletin for May 2023. Users should update their Android devices to a version containing the security patch level of 2023-05-01 or later to protect against this vulnerability (Android Bulletin).