CVE-2023-21239: 
NixOS vulnerability analysis and mitigation

In visitUris of Notification.java in Android, there exists a vulnerability (CVE-2023-21239) that could potentially leak image data across user boundaries due to a confused deputy. The vulnerability affects Android versions 12.0, 12.1, and 13.0. This security issue was disclosed in the July 2023 Android Security Bulletin (Android Bulletin).

The vulnerability is classified as a local information disclosure issue with a CVSS v3.1 base score of 5.5 (MEDIUM) and vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability exists in the visitUris functionality of the Notification component, where a confused deputy condition could lead to unauthorized access to image data (NVD).

If exploited, this vulnerability could result in local information disclosure, potentially allowing an attacker to access image data across user boundaries. The attack requires no user interaction for exploitation, though local access and low privileges are needed (NVD).

Google has released patches to address this vulnerability in the July 2023 Android Security Bulletin. The fix involves granting proper URI permissions and implementing verification of caller app permissions. The patch can be found in the Android source code repository (Android Patch).